354 Lotus blogs updated hourly. Who will post next? Home | Downloads | Events | Pods | Blogs | Search | myPL | About 
 
Latest 7 Posts
IBM Connections wsadmin commands for newcomers
Wed, Mar 5th 2014 408
Writing command line scripts with node.js
Mon, Feb 17th 2014 265
Year in review 2012 (not a typo)
Tue, Dec 31st 2013 161
My IBM Connect 2014 sessions
Tue, Dec 31st 2013 162
Artikel om mine session på ISBG i maj
Sun, Dec 1st 2013 110
Dreaming of Japan
Fri, Nov 29th 2013 130
Terminology is the most important thing to know when when starting out with WebSphere Application Server
Fri, Nov 29th 2013 326
Top 10
IBM Connections wsadmin commands for newcomers
Wed, Mar 5th 2014 408
Terminology is the most important thing to know when when starting out with WebSphere Application Server
Fri, Nov 29th 2013 326
Writing command line scripts with node.js
Mon, Feb 17th 2014 265
My IBM Connect 2014 sessions
Tue, Dec 31st 2013 162
Year in review 2012 (not a typo)
Tue, Dec 31st 2013 161
Java in Notes/Domino Explained: On Java Security and how it relates to Notes/Domino
Thu, Jun 20th 2013 141
Dreaming of Japan
Fri, Nov 29th 2013 130
List of OpenSocial fixes in 9.0.1?
Tue, Oct 29th 2013 128
New plugin appdev values for Notes 9.0.1
Tue, Oct 29th 2013 124
Trusting certificates in WebSphere Application Server
Fri, Nov 29th 2013 122


Turning the login procedure for IBM Connections on its head
   

In the latter part of last year I was involved in installing IBM Connections at a customer site for initially 20.000 users and then, if all went well, for the full 70.000 users. The challenges in evangelizing the solution and getting people to use it is for another blog post but the project is interesting from other perspectives as well.

Firstly they wanted to change the layout of IBM Connections and add their own colors etc. which wasn't a biggie. Next they wanted to change certain core words within IBM Connections. In Danish the word for "Communities" is "Fællesskaber" but they wanted it to be "Grupper". Changing that throughout IBM Connections was a hazzle and we have to migrate these changes by hand when we upgrade to version 3 but it was possible which is the good story here. The last one was the biggest requirement and the the requirement it took the most work to satisfy. They wanted to turn the entire login process for IBM Connections on its head.

So what do I mean by that?

By default IBM Connections works by you importing all valid users into the Profiles database using TDI or a handcrafted tool and then hooking Websphere Application Server up to LDAP. They didn't want that and the users actually didn't exist in a LDAP directory but instead in another (Domino based) member database.

They had a number of requirements:

  1. IBM Connections should work with their existing single-sign-on (SSO) solution which supported a number of different login methods incl. two-factor and digital certificates.
  2. Before being granted access to IBM Connections the user should accept an End User License Agreement (EULA) and if not the user should be denied access to IBM Connections.
  3. Users wasn't allowed to be available in IBM Connections before opting in to using it by accepting the EULA i.e. they didn't want users in the Profiles database before they had accepted the EULA.
The access procedure they wanted may be illustrated as below.


(click the image to a larger version)

So what does an IBM Business Partner do? Say "Sorry that isn't possible" and "That's really not the way that IBM Connections work"? Well of course not because it was and is possible due to IBM Connections being built on top of Websphere Application Server which is an open and highly extensible platform.

The key piece to the puzzle is a piece of technology called a Trust Association Interceptor - or TAI for short - and is a way to change the way Websphere handles authentication and how Websphere normally integrates with reverse proxies such as WebSEAL.

A TAI is a Java class written to a specification (interface) from IBM and very easy to write. The functionality may of course be complex but the way you integrate with Websphere Application server isn't. Once the TAI was written and installed into Websphere Application Server the customer now has an access procedure like this:

  1. User tries to access IBM Connections.
  2. If the user isn't logged in using the 3rd party SSO solution the user is sent to the login screen (1 in the diagram above).
  3. If the user is logged in (and tokens are still valid) an EULA check is performed to verify that the latest EULA has been agreed to.
  4. If not the user is sent to the EULA system (2 in the diagram above) to accept the EULA instructing the EULA system to return the user to IBM Connections afterwards.
  5. If the user did accept the latest EULA we check to see if the user is available in IBM Connections.
  6. If the user isn't in Profiles yet the user is sent to the Populator system (3 in the diagram above) that handles collecting using information and populating Profiles. Once completed the user is returned to Websphere Application Server.
  7. If the user is in Profiles already the user is granted access to IBM Connections (bottom on the diagram).
It sounds complex but it's done in less than 500 lines of code incl. comments and documentation. That isn't too bad is it? What's really cool is that it allows for some very exciting ways to integrated IBM Connections into existing environments.

I'll post more about TAI's over the next few days about how you write them and more about the technical underpinnings. Stay tuned.



---------------------
http://lekkimworld.com/2011/06/07/turning_the_login_procedure_for_ibm_connections_on_its_head.html
Jun 07, 2011
29 hits



Recent Blog Posts
408


IBM Connections wsadmin commands for newcomers
Wed, Mar 5th 2014 3:05a   Mikkel Heisterberg
I've updated my IBM Connections wsadmin commands for newcomers page for IBM Connections 4+ and added a couple of new commands. I've also added information on how to easily work with wsadmin from the command line on *nix. Comments are very welcome. [read] Keywords: connections ibm
265


Writing command line scripts with node.js
Mon, Feb 17th 2014 11:20p   Mikkel Heisterberg
Found this little tip this morning to make it easier to use command line scripts written in node.js. Instead of having your node.js file(s) and invoking it using "node myfile.js" on the Mac you can simply do the following: At the top of the file as the first line add: #!/bin/usr/env node Make the file executable using chmod +x myfile.js Invoke away Now the file is usable by simply using myfile.js. [read] Keywords: mac
161


Year in review 2012 (not a typo)
Tue, Dec 31st 2013 5:12a   Mikkel Heisterberg
Boy 2013 was a busy year. In fact it's been so busy and I have been so bad at blogging that I never got around to finish my year end review for 2012. In a draft blog post I had the following: "2012 was a busy year - maybe the busiest year I've had in a long time. Besides numerous customer projects here in Denmark I've also been involved in a number of international projects and traveled more than ever before. I went to the US twice, Japan twice, Australia once, and to too many European cou [read] Keywords: connections domino ibm lotus lotusphere notes blogging
162


My IBM Connect 2014 sessions
Tue, Dec 31st 2013 4:54a   Mikkel Heisterberg
It's been a very busy fall and christmas for me so I haven't bragged about being chosen to speak at IBM Connect 2014 on my blog besides creating a new static page for the event that will - eventually - sum up what I'm up to at the event. I am fortunate enough be have been selected to speak in two sessions - one with my good buddy Mat Newman (aka Yellow Man) and one solo. Below are the session IDs (probably subject to change), the session titles and the abstracts. BP301 An Introduction to W [read] Keywords: connections ibm xpages applications development java javascript
110


Artikel om mine session på ISBG i maj
Sun, Dec 1st 2013 11:53a   Mikkel Heisterberg
Activity Stream og Widgets på ISBG [read] Keywords: widgets
130


Dreaming of Japan
Fri, Nov 29th 2013 1:51p   Mikkel Heisterberg
[read] Keywords:
326


Terminology is the most important thing to know when when starting out with WebSphere Application Server
Fri, Nov 29th 2013 4:41a   Mikkel Heisterberg
Over the last few weeks I've done a fair amount of consulting on IBM Connections - not so much the install and technical stuff but more simply talking to customers about WebSphere Application Server (WAS) and how it works. The single thing that people new to WAS seems to struggle the most with is the terminology and getting the overall architecture in place. Once that's done most people actually like the platform and find it nice to work with. A while back I linked to a PDF containing a nice g [read] Keywords: administration connections ibm lotus application applications consulting java linux profile server websphere
122


Trusting certificates in WebSphere Application Server
Fri, Nov 29th 2013 3:33a   Mikkel Heisterberg
If you make SSL connections from a WebSphere Application Server based application the server (or rather the cell) needs to trust the certificate of the server you are connecting to. This is very easy to do in WAS and is easily done using the Integrated Solutions Console (ISC). The way to establish the trust is as follows: Log into the WebSphere Application Server Integrated Solutions Console (ISC) From the lefthand navigator select Security/SSL certificate and key management In the list of rela [read] Keywords: connections application properties security server websphere
97


IBM Notes and Domino 9.0 Application Development Elective Exam is now available
Wed, Nov 20th 2013 3:00a   Mikkel Heisterberg
"General availability of the following exam has been announced: LOT-411: XPages Mobile Advanced Topics. Follow the link to read the announcement for this test, which includes links to the exam overview, competency, and preparation pages. Information on the corresponding accreditation - IBM Certified Advanced Application Developer - Notes and Domino 9.0 - including recommended prerequisite skills can be found on the certification page. " LOT-411: XPages Mobile Advanced Topics [read] Keywords: domino ibm notes xpages application development mobile




120


Servers upgraded to 9.0.1 and what a difference a point release makes
Thu, Nov 14th 2013 2:04a   Mikkel Heisterberg
Yesterday night I upgraded two of our internal Domino servers to Domino 9.0.1 incl. Traveler and the new Social Edition components. The entire process for two servers took just about 15 minutes over remote desktop and VPN incl. the restart of the server which strictly speaking was superfluous. Pretty impressive but hey it's Domino!! The upgrade was from Domino 9.0.0 and what a difference a point release makes. Not for the Traveler server but for the Social Edition server that runs the embe [read] Keywords: connections domino ibm traveler desktop email office server twitter




Created and Maintained by Yancy Lent - About - Blog Submission - Suggestions - Change Log - Blog Widget - Advertising - Mobile Edition