Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

Looking at SAML and OAUTH in the Notes and Domino 9 Public Beta

By Andrew Pollack on 03/15/2013 at 05:47 PM EDT

Am I reading this right? Seriously?

Like many people, when I read that next release of the Domino Server and Client were going to support OAuth and SAML, I was pretty happy with that. I've been a bit late getting around to looking at the beta though -- after all, IBM has made it quite clear that my opinion isn't all that welcome any more -- and I'm just now reading the documentation on how IBM is going about this. I'll know more when I talk about this stuff next week at BLUG, by the way.

First SAML. I know a fair bit about SAML. I have 3 binders next to me with the spec printed out. Three full 1" ring binders printed double sided. It's not a simple specification. I've even written my own SAML 2.0 "SP" tools for Domino. That is to say, I have software that can participate as a service provider, logging end users in to the Domino server who authenticate with an off-site SAML identity provider server. Now, mine is not 100% complete yet. It doesn't support the entire protocol suite -- just the parts that my customers have needed so far.

When I read about the way IBM Domino supports SAML, I have to say -- it would not work in any of the three product customer sites where I know my code is running. Now, I could be wrong, as I haven't dug too deeply into it yet -- but reading the documentation, here's where the SAML implementation that I see so far falls apart.

1. It supports only "Microsoft Active Directory" and "Tivoli Federated Identity Manager". Well, so far I've seen 4 different SAML implementations and not a single one of them is using either of those products. The product that I'm seeing used out in the marketplace is almost overwhelmingly "Oracle Federated Identity" (which works with Oracle Identity Manager). Now, I see no reason why this wouldn't work, but it's not supported according to the documentation. I'll have to try it when I get time.

2. It doesn't seem to support authentication in cases where you are not using the ID Vault. -- None of the sites I've talked to are using the IDVault at this time.

3. It doesn't seem to support logging in someone who does not have a Notes ID and Person Document on the server. None of the sites I've worked with so far operate this way. The whole point to having someone else responsible for authentication is to avoid this.

SAML Conclusion: Looks like I should finish off my own SAML implementation for Domino, which will work with any server 7.03 or above and doesn't have those limitations. Then, I'll let IBM increase the mindshare about SAML and when customers find it doesn't do what they want and go searching for answers, they'll find mine. It's a win for me, I guess.

What about OAuth?

To me, IBM Notes and Domino supporting OAuth sounded like it meant I'd be able to drop an xpage control or something on to a web page and start letting people log into my web sites built with Domino by authenticating on Facebook, Twitter, and Google like so many other sites out there now do. NOPE. Apparently that's not what IBM meant at all. Again, assuming I'm reading this correctly, what IBM means by "Supporting OAuth" is that in the Client and in iNotes, you'll be able to use widgets in which the authentication method chosen by the provider of that widget happens to be OAuth (as I understand will be the case for some Connections stuff, and stuff custom developed for Connections). That's pretty minimal. Any web browser can do those things.

So far, I have to say that at least on that front I am not impressed at all.


There are  - loading -  comments....

re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Toby Samples on 03/15/2013 at 09:16 PM EDT
"It doesn't seem to support logging in someone who does not have a Notes ID and
Person Document on the server. None of the sites I've worked with so far
operate this way. The whole point to having someone else responsible for
authentication is to avoid this."

I had not read this and it makes no sense whatsoever, why use SAML if the SP
still has to manage credentials. Ridiculous!
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/15/2013 at 10:07 PM EDT
They really do seem to have lost the plot on this one.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Giulio Campobassi on 03/15/2013 at 10:42 PM EDT
@Andrew Re: point #3. If you allow people to log on to a Domino server without
an ID, would this affect IBM's fees for their licencing* ? If people just
started using alternative authentication which you couldn't track or audit,
what then would be IBM's options for licencing ?

*: Please accept that I'm ignorant to IBM's licencing structure.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/16/2013 at 12:31 AM EDT
That's a hard question to answer, on the surface, but no. I think in most use
cases you'd be using a utility server license or something similar. If you
were still on a per-person kind of licensing, then no matter how the
distinction in made, you are required to have a license for each person the
server can keep track of, regardless of how it can keep track of them.
OAuth consumer, not providerBy Tim Tripcony on 03/16/2013 at 02:15 AM EDT
Domino 9 can act as an OAuth consumer, and XPages can participate in that in an
almost drag and drop manner. So your users can authorize an XPage app to
perform actions in other systems on their behalf (for those who don't know,
OAuth is a protocol for authorization, not authentication). Domino 9 cannot act
as an OAuth provider. That is still on the horizon.
re: OAuth consumer, not providerBy Andrew Pollack on 03/16/2013 at 07:31 AM EDT
Still doesn't let me allow people to log into my domino server using their
authenticated credentials on twitter or facebook, the way some web sites do
around the net.
re: OAuth consumer, not providerBy Dwight Wilbanks on 03/16/2013 at 09:37 AM EDT
I'll buy Tim's answer. OAuth is for authorization. In the real life, however,
people do use OAuth's authorization as authentication. The remote connection
authorizes a null session to become an active user session.

In my version of the same code that it sounds like Andrew wrote, I optionally
create create person documents then create the appropriate cookies so the user
has credentials, all my code was in lotusscript. It was a lot of work, a lot
of work that someone at IBM should have done one time so that everyone else
does not have to.
re: OAuth consumer, not providerBy Simon O'Doherty on 05/22/2013 at 09:22 AM EDT
Just to add to Tims comments. XPages using OAuth is not dependent on Domino
9/OpenSocial. You can get the same functionality in Domino 8.5.3. There is an
OpenNTF project you can use.

http://www.openntf.org/blogs/openntf.nsf/d6plinks/NHEF-8FL9BM
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Chris Miller on 03/16/2013 at 02:59 AM EDT
So I just gave a session at AusLUG on deploying the credential store to support
oAuth . The look of what you had to do t get it working was shocking until I
explained there is really no one outside of large social networks writing these
containes to use as an "embedded experience". The next part was the way
embedded experiences like to use email. One of the points of all this was not
to have emails flying around with client widget integration.

We can have this conversation at BLUG so I can understand the dev more and show
you some I learned on the admin side testing deployment
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/16/2013 at 08:44 AM EDT
But that's the point, Chris - all they've implemented is the dev side solution
to allow you to run someone else's content inside your Notes client (or xpage,
which is a notes client for your browser in many respects). They've once again
completely ignored the idea that you might make a compelling and useful web
browser based tool that faces outside your firewall, and want to use OAuth as
the authentication mechanism the way sites like Gawker, Discuss, Klout, and so
many others do.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Yuval on 03/16/2013 at 04:53 AM EDT
we are using a domino 9 beta right from the very first release in production to
authenticate with Microsoft ADFS and allow SSO with SharePoint and another
system - works great.
Only problem we found was clock syncing issue between us, amazon and Rackspace
and we solved it by disabling the ADFS internet time sync.
If IBM could add an interval for clock syncing that allow me to manually set
the allowed differences to 5 or 10 minutes - it will be perfect.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/16/2013 at 07:30 AM EDT
That should be definable within the SAML assertion (on the IdP side - Microsoft
AD in your case). On the assertion, you can specify the requirements and one
of them is the time that the assertion remains valid.
Why?By Andrew Pollack on 03/16/2013 at 08:51 AM EDT
Yuval - Serious question, not be at all sarcastic here -- WHY are you going to
so much trouble to use SAML to authenticate Domino access with AD? It seems to
me there are already several much more simple methods of getting users in your
AD environment recognized by the Domino server. I don't see what you're
saving here. You still have to have and maintain Domino person records for all
those users from what I read in the documentation (admittedly I haven't set
this up yet, and won't until after the released product is out due to time
constraints).
re: Why?By yuval on 03/19/2013 at 11:06 AM EDT
About the time - the proble mis not for how long its valid but what happen if
the first time that it is valid is "in the future" for domino (the adfs clock
is a head of the domino one)

About why are we using it -
we are using the ADFS not only for domino & Sharepoint, we have another none
windows system and salesforce.com soon, i don't think there is another possible
solution but i will be happy to learn about such.

I have to say its not a problem at all to set it up , it's easy as creating the
ADFS side configuration and the domino configuration document in the IDFS db.

and as for the users needed to be in the domino directory - you are right but
since we are still using domino as our main web user management system it's not
really a problem, at list not yet.
re: Why?By Andrew Pollack on 03/19/2013 at 01:46 PM EDT
Yul,

Saml assertions use "Conditions" to bound the time window. There are two
distinct conditions that can be used in combination or independent of one
another.

"NotBefore"
"NotOnOrAfter"

In combination they create a time window. Using just "NotOnOrAfter" only
creates the last valid time without specifying a start time.
re: Why?By yuval on 03/19/2013 at 04:38 PM EDT
Will give it a try tomorrow morning and let you know.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy David Kern on 03/16/2013 at 10:41 AM EDT
Hi Andrew,

On point 1, as you are well aware there is a big difference between what is
currently officially supported and what works. If you scan through the public
beta forum, you'll see cookbooks describing how to configure the officially
tested and supported IdPs in great detail, as well as a thread investigating an
incompatibility with an unsupported IdP that ended up being fixed for GA. I
would be very surprised if the list of officially supported IdPs didn't grow
over time as more customer feedback is acquired.

Thanks,

dave
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/16/2013 at 12:45 PM EDT
As I have installed the beta client but not the server, I haven't been able yet
to open the idp template, but the documentation indicates you have to pick
between Microsft and Tivoli as the remote provider type. Is there an "Other"
option? If not, I would assume you would just tell the Domino server you're
talking to Tivoli and use the idp.xml from the Oracle provider.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy David Kern on 03/16/2013 at 01:03 PM EDT
I'm as certain as I can be from my iPad that there is an "other" option in the
idpcat template which was added after receiving feedback exactly like yours. If
it's not there, there's an open SPR for it. However, even if there isn't an
"other" option, as you suggested choosing ADFS or TFIM from the drop-down
won't prevent you from importing a different IdP's XML metadata file.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy David Kern on 03/16/2013 at 10:52 AM EDT
Hi Andrew,

The Notes ID vault requirement that you mentioned in point 2 is for Notes
Federated Login, a new feature that provides Notes client SSO functionality
similar to Notes Shared Login, but that supports Citrix and non-Windows
platforms as well.

The vault is not required for Web Federated Login.

Thanks,

dave
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/16/2013 at 12:43 PM EDT
What about the requirement to have userid and person documents in place for
anyone who will authenticate with SAML?
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy David Kern on 03/16/2013 at 12:54 PM EDT
I suspect that the person document is used for name mapping purposes in order
to convert from RFC 821-style names (foo@example.com) to Notes DNs and
nameslists likely to be found in ACLs, but I'll have to check and get back to
you on that one.

Would you prefer to configure the IdP to place the Notes DN and nameslist in
the SAML assertion, or to place RFC 821 names into the relevant ACLs on the
Domino server?
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/16/2013 at 01:23 PM EDT
That depends on the implementation.

In once case I wrote, we use data from the assertion to crate an "OU" that we
include on the userid we generate the ltpa token for. We also, as a matter of
policy, automatically put any user authenticated this way into a specific /Org
so that the possibility of the IdP generating a login path that is an
administrator on the system is removed.

In one case, we modified the $ServerAccess view to include the "@" symbol so
that userids with that symbol were valid and could be used for groups.

In many cases, we use a background process to sync user meta data ahead of time
so that groups can be pre-populated.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy David Kern on 03/18/2013 at 02:00 PM EDT
My previous assumption was correct - browser users can authenticate to the
Domino web server via SAML without a person document. Their session will
contain the name from the SAML assertion, which probably won't match any ACL
entries, leaving them only able to access public resources. You could also pull
tricks with Directory Assistance to perform the name mapping in an external
LDAP directory if you so chose. This behavior would be similar to a DSAPI
filter authenticating a user who doesn't have a person document.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/18/2013 at 06:59 PM EDT
Thanks. this helps.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Thomas Adrian on 03/16/2013 at 11:50 AM EDT
If you want Domino users, Active Directory users, facebook, twitter or linkedin
users sharing content together take a look at intrapages.

With intrapages you do not need any setup on the Domino server and you can
setup different instances for different people.

http://www.intrapages.com
http://intrpages.openntf.org
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/16/2013 at 02:00 PM EDT
Cool. I was thinking along the same lines. I could use their xpages control
to do the oauth authorization, and they have the rest of the app just log them
into domino using my own code once that had been done.

I'm glad someone finished their work for them.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Jane Marcus on 03/18/2013 at 05:58 PM EDT
Hi Andrew,
Thanks for trying the software!

About your points:
1. There is no generic UI available to configure a SAML IdP other than TFIM or
ADFS, but sometimes the UI can properly set up a partnership with another
vendor's implementation. In the future, we hope to expand the support matrix.
If you give it a try with another vendor's IdP, please let us know if it works
(or doesn't)!

2. The Domino web server can use SAML authentication without any id vault in
the architecture. IBM has 2 other features that use SAML with the id vault,
but the basic Domino web server does not require id vault.

3. The Domino web server doesn't require the user to have a Notes ID and Person
Document on the server. In general, having a Notes ID is optional, depending
on the security features needed by the user. Instead of a Person document on
the server, the Domino web server can point to an LDAP directory that contains
user records. Domino will lookup the user's email address in the user's SAML
assertion. The LDAP directory containing the user's record might also contain
the user's Notes name that would appear on Domino Access Control Lists. If
there is no directory record found for the user, then the user's access to
Domino resources depends on the permissions given in the resource's Access
Control List.

Hope this helps to clarify.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/18/2013 at 07:00 PM EDT
Thank you. I'll roll this up into the presentation I'm giving at BLUG later
this week. These points make your SAML implementation far more likely to be
useful. It nearly matches mine. :-)

I do have a few suggestions for you on the security front. I'll email them to
you so as not to spread ideas around.

Right now I'm in an airport waiting to board a plane so it will need to wait.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Mark Demicoli on 12/13/2013 at 11:42 AM EST
Any word on whether SAML works with other than TFIM & ADFS? It it just a
matter of entering a correct Single-signin Service URL in the idP config?
thanks!
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 12/14/2013 at 01:27 PM EST
Unofficially, I'm told it should work with others and you'll see more options
as the server revs. Generally, I would try the TDS setting first as most SAML
sites are going to be based on the open source java.


Other Recent Stories...

  1. 05/05/2016Is the growing social-sourced economy the modern back door into socialism?Is the growing social-sourced economy the modern back door into socialism? I read a really insightful post a couple of days ago that suggested the use of social network funding sites like “Go Fund Me” and “Kickstarter” have come about and gained popularity in part because the existing economy in no longer serving its purpose for anyone who isn’t already wealthy. Have the traditional ways to get new ventures funded become closed to all but a few who aren’t already connected to them and so onerous as to make ...... 
  2. 04/20/2016Want to be whitelisted? Here are some sensible rules for web site advertisingAn increasing number of websites are now detecting when users have ad-blocking enabled, and refuse to show content unless you "whitelist" their site (disable your ad-blocking for them). I think that is a fair decision on their part, it's how they pay for the site. However, if you want me (and many others) to white list your site, there are some rules you should follow. If you violate these rules, I won't whitelist your site, I'll just find content elsewhere. 1. The total space taken up by advertisements ...... 
  3. 12/30/2015Fantastic new series on Syfy called “The Expanse” – for people who love traditional science fiction[] “The Expanse” is a new science fiction series being broadcast onthe Syfy channelthis winter. It’s closely based on a series of books by author James S. A. Corey beginning with “Leviathan Wakes”. There are 5 books in the “Expanse” series so far. If you’re a fan of the novels you’ll appreciate how closely the books are followed.TIP: The first five episodes are already available on Syfy.com. If you’re having trouble getting into the characters and plot, use those to get up to speed.The worlds created for ...... 
  4. 10/20/2015My suggestion is to stay away from PayAnywhere(dot)com  
  5. 08/07/2015Here is one for you VMWARE gurus - particularly if you run ESXi without fancy drive arrays 
  6. 08/06/2015The Killer of Orphans (Orphan Documents) 
  7. 06/02/2015Homeopathic Marketing: Traveler on my Android is now calling itself VERSE. Allow me to translate that for the IBM Notes community... 
  8. 03/17/2015A review of British Airways Premium Economy Service – How to destroy customer goodwill all at once 
  9. 02/26/2015There's a bug in how @TextToTime() and @ToTime() process date strings related to international standards and browser settings. 
  10. 01/21/2015Delivering two new presentations at Developer Camp (EntwicklerCamp) 2015 in Germany 
Click here for more articles.....


pen icon Comment Entry
Subject
Your Name
Homepage
*Your Email
* Your email address is required, but not displayed.
 
Your thoughts....
 
Remember Me  

Please wait while your document is saved.