Active Directory Single Sign-On with IBM

31
Active Directory Single Sign-On Worldwide Business Partner Technical Enablement 2016 Van Staub – North America Embedded Solution Agreement Technical Sales 1

Transcript of Active Directory Single Sign-On with IBM

Page 1: Active Directory Single Sign-On with IBM

Active Directory Single Sign-OnWorldwide Business Partner Technical Enablement 2016Van Staub – North America Embedded Solution Agreement Technical Sales

1

Page 2: Active Directory Single Sign-On with IBM

Agenda• review in a practical format configuring Active Directory

and Active Directory Federation Services

• configure SAML with WebSphere

• discuss SAML with Connections Cloud

• list notable resources at the end

Page 3: Active Directory Single Sign-On with IBM

Installing and Configuring Active Directory• the “directory” used to perform authentication with IBM

software (e.g. WebSphere Portal)• provides a variety of authentication mechanisms almost out of

the box – namely SAML, SPNEGO, and LDAP

• very easy to get started

Page 4: Active Directory Single Sign-On with IBM
Page 5: Active Directory Single Sign-On with IBM
Page 6: Active Directory Single Sign-On with IBM
Page 7: Active Directory Single Sign-On with IBM
Page 8: Active Directory Single Sign-On with IBM
Page 9: Active Directory Single Sign-On with IBM
Page 10: Active Directory Single Sign-On with IBM

Active Directory Federation Services 2.0• supports SAML authentication with ”relying parties”

• SAML is a protocol that specifies the identity of a user in an encrypted format

• identity of the user is provided using a “claim” (i.e. sAMAccountName or email address)

Page 11: Active Directory Single Sign-On with IBM

SAM

L Fl

ow

XML

Page 12: Active Directory Single Sign-On with IBM

Installing and Configuring ADFS 2.0• install the ADFS 2.0 software• configure the first federation server

• manually add the SSL certificate to IIS if one is not listed as available to use (I re-used a certificate; you can create a self-signed if needed)

• verify the SSL certificate you imported is also set as the Token-Signing certificate

• also make sure it’s the primary certificate

Page 13: Active Directory Single Sign-On with IBM
Page 14: Active Directory Single Sign-On with IBM
Page 15: Active Directory Single Sign-On with IBM

manually importing the SSL certificate into IIS

Page 16: Active Directory Single Sign-On with IBM
Page 17: Active Directory Single Sign-On with IBM

Manually set the Token-Signing

Certificate

Page 18: Active Directory Single Sign-On with IBM

Configuring WebSphere for SAML• ensure that security is enabled and working with Active

Directory

• install the SAML ACS enterprise application• configure the SAML TAI to work with the ADFS IdP

• steps create a global configuration• steps are shown manually for clarity

Page 19: Active Directory Single Sign-On with IBM

• simply deploys the SAML ACS enterprise application

• can also be done manually

Page 20: Active Directory Single Sign-On with IBM

• Using WAS Console go to Security -> Global Security -> Web and SIP security -> Trust Association

• Uncheck Enable trust association

Page 21: Active Directory Single Sign-On with IBM

• Click Interceptors• com.ibm.ws.se

curity.web.saml.ACSTrustAssociationInterceptor

• add settings seen in screenshot

Page 22: Active Directory Single Sign-On with IBM

• Using WAS Console go to Security -> Global Security -> Custom Properties

• add settings seen in screenshot

Page 23: Active Directory Single Sign-On with IBM

• Using WAS Console go to Security -> SSL Certificate and Key Management -> Key stores and Certificates• either

NodeDefaultTrustStore or CellDefaultTrustSTore

• Add SSL certificate (public key) manually or retrieve from port (i.e. the IIS server)

the Token-Signer certificate

specified earlier

Page 24: Active Directory Single Sign-On with IBM

certificate alias you just added to

the TrustStore

Page 25: Active Directory Single Sign-On with IBM

• Using WAS Console go to Security -> Federated Repositories -> Configure • Click Trusted

authentication realms - inbound

• add external ream settings seen in screenshot

Federation Server identifier seen

earlier

Page 26: Active Directory Single Sign-On with IBM

• Using WAS Console go to Security -> Global Security -> Web and SIP security -> Trust Association• Check Enable trust

association

Page 27: Active Directory Single Sign-On with IBM

Creating the Partnership• SAML 2.0 metadata XML can be exported from WebSphere

and imported into ADFS• use AdminTask.exportSAMLSpMetadata(‘-

spMetadataFileName <SpMetaDataFile> -ssoId 1′)

sso_1.sp.acsURL

sso_1.sp.acsURL

Page 28: Active Directory Single Sign-On with IBM

use defaults on next screens

Page 29: Active Directory Single Sign-On with IBM

Finished Partnership (Relying Party Trust)

Page 30: Active Directory Single Sign-On with IBM

ResourcesUnderstanding the WebSphere Application Server SAML Trust Association Interceptor

http://www.ibm.com/developerworks/websphere/techjournal/1307_lansche/1307_lansche.html

Step by step guide to implement SAML 2.0 for Portal 8.5

https://developer.ibm.com/digexp/docs/docs/customization-administration/step-step-guide-implement-saml-2-0-portal-8-5/

Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI)

https://www.ibm.com/developerworks/community/blogs/8f2bc166-3bdc-4a9d-bad4-3620dbb3e46c/entry/Front_Side_SAML_SSO_with_microsoft_product_ADFS_WAS_SAML_TAI?lang=en

Step-by-Step guide to Configure Single sign-on for HTTP requests using SPNEGO web authentication

https://www-10.lotus.com/ldd/portalwiki.nsf/dx/Step-by-Step_guide_to_Configure_Single_sign-on_for_HTTP_requests_using_SPNEGO_web_authentication

AD + SAML + Kerberos + IBM Notes and Domino = SSO!

http://www.andypedisich.com/blogs/andysblog.nsf/dx/robs-saml-presentation-from-mwlug-has-been-posted.htm

BP104 Simplifying The S’s: Single Sign-On, SPNEGO and SAML (2014)

http://www.idonotes.com/IdoNotes/IdoConnect2013.nsf/dx/bp104-simplifying-the-ss-single-sign-on-spnego-and-saml-2014.htm

Page 31: Active Directory Single Sign-On with IBM

Thank You

31