Active Directory Single Sign-On with IBM
-
Upload
van-staub-mba -
Category
Technology
-
view
895 -
download
3
Transcript of Active Directory Single Sign-On with IBM
![Page 1: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/1.jpg)
Active Directory Single Sign-OnWorldwide Business Partner Technical Enablement 2016Van Staub – North America Embedded Solution Agreement Technical Sales
1
![Page 2: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/2.jpg)
Agenda• review in a practical format configuring Active Directory
and Active Directory Federation Services
• configure SAML with WebSphere
• discuss SAML with Connections Cloud
• list notable resources at the end
![Page 3: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/3.jpg)
Installing and Configuring Active Directory• the “directory” used to perform authentication with IBM
software (e.g. WebSphere Portal)• provides a variety of authentication mechanisms almost out of
the box – namely SAML, SPNEGO, and LDAP
• very easy to get started
![Page 4: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/4.jpg)
![Page 5: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/5.jpg)
![Page 6: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/6.jpg)
![Page 7: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/7.jpg)
![Page 8: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/8.jpg)
![Page 9: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/9.jpg)
![Page 10: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/10.jpg)
Active Directory Federation Services 2.0• supports SAML authentication with ”relying parties”
• SAML is a protocol that specifies the identity of a user in an encrypted format
• identity of the user is provided using a “claim” (i.e. sAMAccountName or email address)
![Page 11: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/11.jpg)
SAM
L Fl
ow
XML
![Page 12: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/12.jpg)
Installing and Configuring ADFS 2.0• install the ADFS 2.0 software• configure the first federation server
• manually add the SSL certificate to IIS if one is not listed as available to use (I re-used a certificate; you can create a self-signed if needed)
• verify the SSL certificate you imported is also set as the Token-Signing certificate
• also make sure it’s the primary certificate
![Page 13: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/13.jpg)
![Page 14: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/14.jpg)
![Page 15: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/15.jpg)
manually importing the SSL certificate into IIS
![Page 16: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/16.jpg)
![Page 17: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/17.jpg)
Manually set the Token-Signing
Certificate
![Page 18: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/18.jpg)
Configuring WebSphere for SAML• ensure that security is enabled and working with Active
Directory
• install the SAML ACS enterprise application• configure the SAML TAI to work with the ADFS IdP
• steps create a global configuration• steps are shown manually for clarity
![Page 19: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/19.jpg)
• simply deploys the SAML ACS enterprise application
• can also be done manually
![Page 20: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/20.jpg)
• Using WAS Console go to Security -> Global Security -> Web and SIP security -> Trust Association
• Uncheck Enable trust association
![Page 21: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/21.jpg)
• Click Interceptors• com.ibm.ws.se
curity.web.saml.ACSTrustAssociationInterceptor
• add settings seen in screenshot
![Page 22: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/22.jpg)
• Using WAS Console go to Security -> Global Security -> Custom Properties
• add settings seen in screenshot
![Page 23: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/23.jpg)
• Using WAS Console go to Security -> SSL Certificate and Key Management -> Key stores and Certificates• either
NodeDefaultTrustStore or CellDefaultTrustSTore
• Add SSL certificate (public key) manually or retrieve from port (i.e. the IIS server)
the Token-Signer certificate
specified earlier
![Page 24: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/24.jpg)
certificate alias you just added to
the TrustStore
![Page 25: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/25.jpg)
• Using WAS Console go to Security -> Federated Repositories -> Configure • Click Trusted
authentication realms - inbound
• add external ream settings seen in screenshot
Federation Server identifier seen
earlier
![Page 26: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/26.jpg)
• Using WAS Console go to Security -> Global Security -> Web and SIP security -> Trust Association• Check Enable trust
association
![Page 27: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/27.jpg)
Creating the Partnership• SAML 2.0 metadata XML can be exported from WebSphere
and imported into ADFS• use AdminTask.exportSAMLSpMetadata(‘-
spMetadataFileName <SpMetaDataFile> -ssoId 1′)
sso_1.sp.acsURL
sso_1.sp.acsURL
![Page 28: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/28.jpg)
use defaults on next screens
![Page 29: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/29.jpg)
Finished Partnership (Relying Party Trust)
![Page 30: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/30.jpg)
ResourcesUnderstanding the WebSphere Application Server SAML Trust Association Interceptor
http://www.ibm.com/developerworks/websphere/techjournal/1307_lansche/1307_lansche.html
Step by step guide to implement SAML 2.0 for Portal 8.5
https://developer.ibm.com/digexp/docs/docs/customization-administration/step-step-guide-implement-saml-2-0-portal-8-5/
Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI)
https://www.ibm.com/developerworks/community/blogs/8f2bc166-3bdc-4a9d-bad4-3620dbb3e46c/entry/Front_Side_SAML_SSO_with_microsoft_product_ADFS_WAS_SAML_TAI?lang=en
Step-by-Step guide to Configure Single sign-on for HTTP requests using SPNEGO web authentication
https://www-10.lotus.com/ldd/portalwiki.nsf/dx/Step-by-Step_guide_to_Configure_Single_sign-on_for_HTTP_requests_using_SPNEGO_web_authentication
AD + SAML + Kerberos + IBM Notes and Domino = SSO!
http://www.andypedisich.com/blogs/andysblog.nsf/dx/robs-saml-presentation-from-mwlug-has-been-posted.htm
BP104 Simplifying The S’s: Single Sign-On, SPNEGO and SAML (2014)
http://www.idonotes.com/IdoNotes/IdoConnect2013.nsf/dx/bp104-simplifying-the-ss-single-sign-on-spnego-and-saml-2014.htm
![Page 31: Active Directory Single Sign-On with IBM](https://reader035.fdocuments.us/reader035/viewer/2022081515/586fc0e51a28aba24c8b48a5/html5/thumbnails/31.jpg)
Thank You
31