BP201: Creating Your Own Connections Confection - Getting The Flavour Right

Gabriella Davis Technical Director - The Turtle Partnership gabriella@turtlepartnership.com

Let’s talk about me for a minute

▪ Admin of all things and especially quite complicated things where the fun is

– Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connections and things that they talk to

▪ Stubborn and relentless problem solver ▪ Lives in London about half of the time ▪ gabriella@turtlepartnership.com ▪ twitter: gabturtle

Notices and DisclaimersCopyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo, ibm.com, BrassRing®, Connections™, Domino®, Global Business Services®, Global Technology Services®, SmartCloud®, Social Business®, Kenexa®, Notes®, PartnerWorld®, Prove It!®, PureSystems®, Sametime®, Verse™, Watson™, WebSphere®, Worklight®, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

Connections - The Whole Picture

Designing Your User Experience

CREATING AND SHARING CONTENT TAGGING, LIKES & @MENTIONS

CLIENT ACCESS: BROWSER DESKTOP APPLICATION MOBILE

LEARNING ABOUT PEOPLE, WHO THEY ARE, WHAT THEY DO

DOCUMENT MANAGEMENT

AUDIENCE & NETWORK EXTERNAL USER BEHAVIOUR

Architecture Decisions

USERS VS CONCURRENT USERS PUBLIC ACCESS AND

SECURITY

FILE AND DATA STORAGE

SEPARATING COMPONENTS

BUILD NOW / ADD LATER?

ALWAYS HAVE BOTH STAGING AND PRODUCTION ENVIRONMENTS

Design For GrowthClusters can be duplicated Not everything needs to be clustered but everything should have the potential for clustering without needing a rebuild Avoid backing yourself into a corner with single points of failure Data is accessed from the database server and from a shared data location

Document Management

It’s All About Content - Companies Run On Content

Tags

Video

KPI

Proc

esse

sW

EB 2

.0

ProposalsProjects

PHOTOS

Video

Wikis

Places

Blogs

Tasks

✤ Companies generate and need to use and retain a lot of data, much of it unstructured

✤ To do this they use Enterprise Content Management

✤ this is not the same as a Content Management System

Sharing A Collective Memory

✤ Information needs context

✤ Why was it generated?

✤ What was it used for?

✤ Who worked on it?

✤ Is it still true?

Avoiding Reinvention

WHY NOT JUST SHARE IT?

IS IT WHAT YOU NEED?DOES CONTENT

ALREADY EXIST?

RE-USEREVIEW SEARCH

▪ Always most recent ▪ Always validated ▪ Always in context

Always The Right Information

▪ Approvals ▪ Reviews ▪ Auditing ▪ Compliance

Control & Confidence

Searching

Files & Folder Metadata Document Types

Tagging

✤ People / Unstructured

✤ Process / Structured

Finding Things

Working With Documents

Files Application

▪ Standard Connections application (default install) ▪ Each user has their own “Library” where they can upload and share files

▪ Each file can be shared

Sharing Files - Behaviour

Files Sync Offline

CCM / Filenet

DEP MGR + FILENET

FILENET CONNECTIONS

WAS

DB STORE

It’s A Customised Connections-Specific Integrated Install

CCM Isn’t Pure Filenet

1. Websphere Application Server

2. Deployment Manager Server

3. Filenet Installers

1. Websphere Application Server

2. Filenet J2EE Applications

1. Database Server 2. FNCGD & FNOS

Databases

Connections Data Share

(NFS)

Filenet Server

DB Server

Storage

CCM Libraries SSO

Standalone Filenet External Libraries

Editing Things

EditLiveAdvanced

editing, table management, inline

images

EditLive Install

▪ Custom installer downloadable from IBM ▪ Simple application install ▪ Enabled for everyone or for users by role ▪ J2EE application maps to a WebSphere

server ▪ you can use an existing server

FileViewerServer 2

Conversion ServerMandatory

Windows OS

IBM ConnectionsServer 1

File Viewer Extension Plugin

File Viewer ServerWindows or Linux

Connections Data Share(moved to NFS share)

Viewer Data Share

IBM Docs

Server 2

Server 3

IBM Docs ServerMandatoryLinux OS

Conversion ServerMandatory

Windows OS

IBM ConnectionsServer 1

IBM Docs Extension Plug-In File Viewer Extension Plugin

Server 4

IBM Docs ProxyOptionalLinux OS

File Viewer ServerWindows or Linux

Connections Data Share(moved to NFS share)

Viewer Data ShareIBMM Docs Data

NFS Share

Analytics

Cognos

Cognos BI Cognos Transformer

Cognos & Metrics DB

Cognos & Metrics J2EE Apps

Connections Reporting

Cognos BI Cognos Transformer

Websphere Application Server

Metrics J2EE Application Cognos J2EE

Application

Database Server Cognos DB Metrics DB

The metrics application

logs to the Metrics DB. This DB can (and is) used

by other 3rd party analytical tools

Forms Experience Builder

Forms Experience Builder Polls & Surveys

Installs on WebSphere Server(s)

Requires DB2

Installs on every server in the chosen cluster

Websphere Application Server

Forms Experience Builder FEB J2EE Application

Database Server

FEB DB

Connections Mail

How Does Connections Mail Work?

Deployment Manager

IBM Connections Mail Installed

Connections Application

Server

Connections Application

Server

HTTP Interface to Mail

(iNotes in the case of Domino)

Domino Server1

Domino Server2

Domino Server3

Or Exchange

Sametime Integration

Configuring Sametime With Connections

▪ Two choices ▪ Each user runs the Sametime standalone client ▪ Enable the Connections server to connect to the Sametime Proxy Server

using a web interface ▪ There are no Sametime applications installed under Connections

Online Status In Connections

Sametime Meetings In Connections

All communication is through the Sametime Proxy Server - a web interface to Sametime Services

External Users

What Can An External Person Do?

▪ Be a full member of a Community that allows external users ▪ Share Files with others as well as Download files shared with you ▪ See Activity Streams that they are invited into ▪ Edit Their Profile ▪ View business cards of anyone who has shared content with them

What Can’t An External Person Do?

▪ See Any Public Content ▪ Create a community ▪ Follow people ▪ See or search the company directory ▪ Use type-ahead to find people ▪ See recommended content or people ▪ Access the Profiles menu ▪ Access other user profiles ▪ See @Mentions for them

Internal - Homepage

Visitor Homepage

Internal - My Profile

Visitor My Profile

Single Sign On

Negotiation

known as NTLM or Kerberos in Active Directory

GSSAPI

Mechanism

SPNEGO EXAMPLE FOR WEBSPHERE

1 2 3 4 5ACTIVE

DIRECTORY GENERATES

SPNEGO TOKEN

USER TRIES TO ACCESS

CONNECTIONS

BROWSER SENDS

SPNEGO TOKEN TO

WEBSPHERE ALONG WITH USER NAME

WEBSPHERE CONTACTS

ACTIVE DIRECTORY TO

VALIDATE TOKEN AND

RETRIEVE THE USER’S NAME

STEPS

USER LOGS INTO

WINDOWS

SETTING UP SPNEGOSet up a SPN for the IHS and Connections application servers in Active

Directory Use a dedicated account that you use to start WebSphere as a service Run setspn -a http://<ihs hostname> <accountnamerunningwas>

If AD isn’t the LDAP being used then the LDAP entry should be updated with the AD name

e.g for Domino update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name)

WHY NOT SPNEGOIt requires Active Directory It requires users to login to Active Directory It requires Microsoft Supported browsers* It requires a Windows client for the users* It requires a Windows platform*

It doesn’t work at all if the user is remotely connecting and not logging into Active Directory It has a very specific use case* all these asterisks mean there are ways to extend to other platforms often using 3rd party addons

What Is SAML

AssertionMarkupLanguage

SAML is a protocol and process for exchanging authorisation and authentication data for a user between

services and servers

Security

IdP (Identity Provider)

Sp (Service Provider)

Sp (Service Provider)

Sp (Service Provider)

No Passwords…..

To Compromise

To Expire

Once a user has authenticated with the IdP they won’t be asked

again

SAML Example



1 2 3 4 5USER

ATTEMPTS TO LOG IN TO A

WEBSITE

USER IS REDIRECTED TO

IDENTITY PROVIDER

IDENTITY PROVIDER REQUESTS

AUTHENTICATION OR (IF USER IS LOGGED IN)

RETURNS CREDENTIALS

USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML

ASSERTION ATTACHED

ORIGINAL SITE USES ITS SAML SERVICE

PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS

STEPS

Definitions

▪ IdP - Identity Provider (SSO) – ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012)

• SAML 2.0 only • can be combined with SPNEGO • Enhances Integrated Windows Authentication (IWA)

– TFIM (Tivoli Federated Identity Manager) • SAML 1.1 and 2.0

definitions

▪ SP - Service Provider – IBM WebSphere

• By extension some applications installed under WebSphere – IBM Domino (web federated login) – IBM Notes (requires ID Vault) (notes federated login)

More Definitions

▪ IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions

▪ Assertions have three roles – Authentication – Authorisation – Retrieving Attributes

An IdP can service many service providers

A SP can be connected to several IdPs

An IdP can use a variety of authentication methods including multi factor

Setting Up SAML

▪ Choose your IdP if you don’t already have one – which fits best in your business

▪ Build the IdP ▪ Configure the SP

▪ Sounds easy doesn’t it? – It’s really not easy by any means but it is worth the investment in time

SAML Support In Connections

▪ WebSphere supports SAML but that doesn’t mean all applications run under WebSphere support it

▪ Where SAML is configured for authentication and can’t be used by an external application, WebSphere can generate a LTPA token

▪ FileNet / CCM does not support SAML ▪ Metrics/Cognos can’t run in a SAML enabled cell and must be deployed in its own cell with

LTPA ▪ Connections Mail, Desktop and Mobile applications cannot use SAML ▪ Browser access to the rest of the Connections applications (homepage, profiles, activities,

communities etc) is supported

IBM PreApproval Process - SAML Isn’t Supported Without It

▪ SAML integration with IBM Connections is supported in specific circumstances ▪ WebSphere supports SAML but that doesn’t mean all applications that run under

WebSphere do ▪ Specific configuration instructions and fixes are only available from IBM Support once pre-

approval has been completed ▪ The pre-approval process is a questionnaire that must be completed and submitted to IBM

so support can evaluate if your environment can be supported – IBM will also advise the best deployment for SAML to meet your needs – There is no one size fits all solution

Configuring SAML With IBM Connections

▪ There are two methods for configuring SAML with IBM Connections ▪ For both the IdP (Identity Provider) tested are ADFS and TFIM

– Those are the IdP’s publicly documented for WebSphere – That’s not to say other IdP wouldn’t be supported if accepted for pre-approval

▪ WebSphere acts as a SP (service provider) and configuration is completed in the cell under Global Security

– This means SAML instructions are applied to all applications in the cell

▪ SAML can be deployed using WebSphere’s default authenticator or using SAML redirection

– Using default authenticator gives more scope for external applications – IBM will advise the best deployment based on your completed questionnaire

Where To From Here?

▪ Who are your users ▪ Where are your users ▪ What do they want to do ▪ Clouds vs On Premises ▪ Simplify Architecture But Build for Growth ▪ Have a Plan

Questions?

▪ Gab Davis - Technical Director ▪ The Turtle Partnership ▪ gabriella@turtlepartnership.com ▪ GabriellaDavis on Skype ▪ gabturtle on twitter

Engage Online

▪ SocialBiz User Group socialbizug.org – Join the epicenter of Notes and Collaboration user groups

▪ Social Business Insights blog ibm.com/blogs/socialbusiness – Read and engage with our bloggers

▪ Follow us on Twitter – @IBMConnect and @IBMSocialBiz

▪ LinkedIn http://bit.ly/SBComm – Participate in the IBM Social Business group on LinkedIn

▪ Facebook https://www.facebook.com/IBMConnected – Like IBM Social Business on Facebook