Andrew Pollack's Blog
Technology, Family, Entertainment, Politics, and Random Noise| Professional Services | Second Signal | Presentations | Andrew's Blog | Support |
Looking at SAML and OAUTH in the Notes and Domino 9 Public Beta
By Andrew Pollack on 03/15/2013 at 05:47 PM EDTAm I reading this right? Seriously?
Like many people, when I read that next release of the Domino Server and Client were going to support OAuth and SAML, I was pretty happy with that. I've been a bit late getting around to looking at the beta though -- after all, IBM has made it quite clear that my opinion isn't all that welcome any more -- and I'm just now reading the documentation on how IBM is going about this. I'll know more when I talk about this stuff next week at BLUG, by the way.
First SAML. I know a fair bit about SAML. I have 3 binders next to me with the spec printed out. Three full 1" ring binders printed double sided. It's not a simple specification. I've even written my own SAML 2.0 "SP" tools for Domino. That is to say, I have software that can participate as a service provider, logging end users in to the Domino server who authenticate with an off-site SAML identity provider server. Now, mine is not 100% complete yet. It doesn't support the entire protocol suite -- just the parts that my customers have needed so far.
When I read about the way IBM Domino supports SAML, I have to say -- it would not work in any of the three product customer sites where I know my code is running. Now, I could be wrong, as I haven't dug too deeply into it yet -- but reading the documentation, here's where the SAML implementation that I see so far falls apart.
1. It supports only "Microsoft Active Directory" and "Tivoli Federated Identity Manager". Well, so far I've seen 4 different SAML implementations and not a single one of them is using either of those products. The product that I'm seeing used out in the marketplace is almost overwhelmingly "Oracle Federated Identity" (which works with Oracle Identity Manager). Now, I see no reason why this wouldn't work, but it's not supported according to the documentation. I'll have to try it when I get time.
2. It doesn't seem to support authentication in cases where you are not using the ID Vault. -- None of the sites I've talked to are using the IDVault at this time.
3. It doesn't seem to support logging in someone who does not have a Notes ID and Person Document on the server. None of the sites I've worked with so far operate this way. The whole point to having someone else responsible for authentication is to avoid this.
SAML Conclusion: Looks like I should finish off my own SAML implementation for Domino, which will work with any server 7.03 or above and doesn't have those limitations. Then, I'll let IBM increase the mindshare about SAML and when customers find it doesn't do what they want and go searching for answers, they'll find mine. It's a win for me, I guess.
What about OAuth?
To me, IBM Notes and Domino supporting OAuth sounded like it meant I'd be able to drop an xpage control or something on to a web page and start letting people log into my web sites built with Domino by authenticating on Facebook, Twitter, and Google like so many other sites out there now do. NOPE. Apparently that's not what IBM meant at all. Again, assuming I'm reading this correctly, what IBM means by "Supporting OAuth" is that in the Client and in iNotes, you'll be able to use widgets in which the authentication method chosen by the provider of that widget happens to be OAuth (as I understand will be the case for some Connections stuff, and stuff custom developed for Connections). That's pretty minimal. Any web browser can do those things.
So far, I have to say that at least on that front I am not impressed at all.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Toby Samples on 03/15/2013 at 09:16 PM EDT
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/15/2013 at 10:07 PM EDT
They really do seem to have lost the plot on this one.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Giulio Campobassi on 03/15/2013 at 10:42 PM EDT
@Andrew Re: point #3. If you allow people to log on to a Domino server without
an ID, would this affect IBM's fees for their licencing* ? If people just
started using alternative authentication which you couldn't track or audit,
what then would be IBM's options for licencing ?
*: Please accept that I'm ignorant to IBM's licencing structure.
an ID, would this affect IBM's fees for their licencing* ? If people just
started using alternative authentication which you couldn't track or audit,
what then would be IBM's options for licencing ?
*: Please accept that I'm ignorant to IBM's licencing structure.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/16/2013 at 12:31 AM EDT
That's a hard question to answer, on the surface, but no. I think in most use
cases you'd be using a utility server license or something similar. If you
were still on a per-person kind of licensing, then no matter how the
distinction in made, you are required to have a license for each person the
server can keep track of, regardless of how it can keep track of them.
cases you'd be using a utility server license or something similar. If you
were still on a per-person kind of licensing, then no matter how the
distinction in made, you are required to have a license for each person the
server can keep track of, regardless of how it can keep track of them.
OAuth consumer, not providerBy Tim Tripcony on 03/16/2013 at 02:15 AM EDT
Domino 9 can act as an OAuth consumer, and XPages can participate in that in an
almost drag and drop manner. So your users can authorize an XPage app to
perform actions in other systems on their behalf (for those who don't know,
OAuth is a protocol for authorization, not authentication). Domino 9 cannot act
as an OAuth provider. That is still on the horizon.
almost drag and drop manner. So your users can authorize an XPage app to
perform actions in other systems on their behalf (for those who don't know,
OAuth is a protocol for authorization, not authentication). Domino 9 cannot act
as an OAuth provider. That is still on the horizon.
re: OAuth consumer, not providerBy Andrew Pollack on 03/16/2013 at 07:31 AM EDT
Still doesn't let me allow people to log into my domino server using their
authenticated credentials on twitter or facebook, the way some web sites do
around the net.
authenticated credentials on twitter or facebook, the way some web sites do
around the net.
re: OAuth consumer, not providerBy Dwight Wilbanks on 03/16/2013 at 09:37 AM EDT
I'll buy Tim's answer. OAuth is for authorization. In the real life, however,
people do use OAuth's authorization as authentication. The remote connection
authorizes a null session to become an active user session.
In my version of the same code that it sounds like Andrew wrote, I optionally
create create person documents then create the appropriate cookies so the user
has credentials, all my code was in lotusscript. It was a lot of work, a lot
of work that someone at IBM should have done one time so that everyone else
does not have to.
people do use OAuth's authorization as authentication. The remote connection
authorizes a null session to become an active user session.
In my version of the same code that it sounds like Andrew wrote, I optionally
create create person documents then create the appropriate cookies so the user
has credentials, all my code was in lotusscript. It was a lot of work, a lot
of work that someone at IBM should have done one time so that everyone else
does not have to.
re: OAuth consumer, not providerBy Simon O'Doherty on 05/22/2013 at 09:22 AM EDT
Just to add to Tims comments. XPages using OAuth is not dependent on Domino
9/OpenSocial. You can get the same functionality in Domino 8.5.3. There is an
OpenNTF project you can use.
http://www.openntf.org/blogs/openntf.nsf/d6plinks/NHEF-8FL9BM
9/OpenSocial. You can get the same functionality in Domino 8.5.3. There is an
OpenNTF project you can use.
http://www.openntf.org/blogs/openntf.nsf/d6plinks/NHEF-8FL9BM
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Chris Miller on 03/16/2013 at 02:59 AM EDT
So I just gave a session at AusLUG on deploying the credential store to support
oAuth . The look of what you had to do t get it working was shocking until I
explained there is really no one outside of large social networks writing these
containes to use as an "embedded experience". The next part was the way
embedded experiences like to use email. One of the points of all this was not
to have emails flying around with client widget integration.
We can have this conversation at BLUG so I can understand the dev more and show
you some I learned on the admin side testing deployment
oAuth . The look of what you had to do t get it working was shocking until I
explained there is really no one outside of large social networks writing these
containes to use as an "embedded experience". The next part was the way
embedded experiences like to use email. One of the points of all this was not
to have emails flying around with client widget integration.
We can have this conversation at BLUG so I can understand the dev more and show
you some I learned on the admin side testing deployment
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/16/2013 at 08:44 AM EDT
But that's the point, Chris - all they've implemented is the dev side solution
to allow you to run someone else's content inside your Notes client (or xpage,
which is a notes client for your browser in many respects). They've once again
completely ignored the idea that you might make a compelling and useful web
browser based tool that faces outside your firewall, and want to use OAuth as
the authentication mechanism the way sites like Gawker, Discuss, Klout, and so
many others do.
to allow you to run someone else's content inside your Notes client (or xpage,
which is a notes client for your browser in many respects). They've once again
completely ignored the idea that you might make a compelling and useful web
browser based tool that faces outside your firewall, and want to use OAuth as
the authentication mechanism the way sites like Gawker, Discuss, Klout, and so
many others do.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Yuval on 03/16/2013 at 04:53 AM EDT
we are using a domino 9 beta right from the very first release in production to
authenticate with Microsoft ADFS and allow SSO with SharePoint and another
system - works great.
Only problem we found was clock syncing issue between us, amazon and Rackspace
and we solved it by disabling the ADFS internet time sync.
If IBM could add an interval for clock syncing that allow me to manually set
the allowed differences to 5 or 10 minutes - it will be perfect.
authenticate with Microsoft ADFS and allow SSO with SharePoint and another
system - works great.
Only problem we found was clock syncing issue between us, amazon and Rackspace
and we solved it by disabling the ADFS internet time sync.
If IBM could add an interval for clock syncing that allow me to manually set
the allowed differences to 5 or 10 minutes - it will be perfect.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/16/2013 at 07:30 AM EDT
That should be definable within the SAML assertion (on the IdP side - Microsoft
AD in your case). On the assertion, you can specify the requirements and one
of them is the time that the assertion remains valid.
AD in your case). On the assertion, you can specify the requirements and one
of them is the time that the assertion remains valid.
Why?By Andrew Pollack on 03/16/2013 at 08:51 AM EDT
Yuval - Serious question, not be at all sarcastic here -- WHY are you going to
so much trouble to use SAML to authenticate Domino access with AD? It seems to
me there are already several much more simple methods of getting users in your
AD environment recognized by the Domino server. I don't see what you're
saving here. You still have to have and maintain Domino person records for all
those users from what I read in the documentation (admittedly I haven't set
this up yet, and won't until after the released product is out due to time
constraints).
so much trouble to use SAML to authenticate Domino access with AD? It seems to
me there are already several much more simple methods of getting users in your
AD environment recognized by the Domino server. I don't see what you're
saving here. You still have to have and maintain Domino person records for all
those users from what I read in the documentation (admittedly I haven't set
this up yet, and won't until after the released product is out due to time
constraints).
re: Why?By yuval on 03/19/2013 at 11:06 AM EDT
About the time - the proble mis not for how long its valid but what happen if
the first time that it is valid is "in the future" for domino (the adfs clock
is a head of the domino one)
About why are we using it -
we are using the ADFS not only for domino & Sharepoint, we have another none
windows system and salesforce.com soon, i don't think there is another possible
solution but i will be happy to learn about such.
I have to say its not a problem at all to set it up , it's easy as creating the
ADFS side configuration and the domino configuration document in the IDFS db.
and as for the users needed to be in the domino directory - you are right but
since we are still using domino as our main web user management system it's not
really a problem, at list not yet.
the first time that it is valid is "in the future" for domino (the adfs clock
is a head of the domino one)
About why are we using it -
we are using the ADFS not only for domino & Sharepoint, we have another none
windows system and salesforce.com soon, i don't think there is another possible
solution but i will be happy to learn about such.
I have to say its not a problem at all to set it up , it's easy as creating the
ADFS side configuration and the domino configuration document in the IDFS db.
and as for the users needed to be in the domino directory - you are right but
since we are still using domino as our main web user management system it's not
really a problem, at list not yet.
re: Why?By Andrew Pollack on 03/19/2013 at 01:46 PM EDT
Yul,
Saml assertions use "Conditions" to bound the time window. There are two
distinct conditions that can be used in combination or independent of one
another.
"NotBefore"
"NotOnOrAfter"
In combination they create a time window. Using just "NotOnOrAfter" only
creates the last valid time without specifying a start time.
Saml assertions use "Conditions" to bound the time window. There are two
distinct conditions that can be used in combination or independent of one
another.
"NotBefore"
"NotOnOrAfter"
In combination they create a time window. Using just "NotOnOrAfter" only
creates the last valid time without specifying a start time.
re: Why?By yuval on 03/19/2013 at 04:38 PM EDT
Will give it a try tomorrow morning and let you know.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy David Kern on 03/16/2013 at 10:41 AM EDT
Hi Andrew,
On point 1, as you are well aware there is a big difference between what is
currently officially supported and what works. If you scan through the public
beta forum, you'll see cookbooks describing how to configure the officially
tested and supported IdPs in great detail, as well as a thread investigating an
incompatibility with an unsupported IdP that ended up being fixed for GA. I
would be very surprised if the list of officially supported IdPs didn't grow
over time as more customer feedback is acquired.
Thanks,
dave
On point 1, as you are well aware there is a big difference between what is
currently officially supported and what works. If you scan through the public
beta forum, you'll see cookbooks describing how to configure the officially
tested and supported IdPs in great detail, as well as a thread investigating an
incompatibility with an unsupported IdP that ended up being fixed for GA. I
would be very surprised if the list of officially supported IdPs didn't grow
over time as more customer feedback is acquired.
Thanks,
dave
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/16/2013 at 12:45 PM EDT
As I have installed the beta client but not the server, I haven't been able yet
to open the idp template, but the documentation indicates you have to pick
between Microsft and Tivoli as the remote provider type. Is there an "Other"
option? If not, I would assume you would just tell the Domino server you're
talking to Tivoli and use the idp.xml from the Oracle provider.
to open the idp template, but the documentation indicates you have to pick
between Microsft and Tivoli as the remote provider type. Is there an "Other"
option? If not, I would assume you would just tell the Domino server you're
talking to Tivoli and use the idp.xml from the Oracle provider.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy David Kern on 03/16/2013 at 01:03 PM EDT
I'm as certain as I can be from my iPad that there is an "other" option in the
idpcat template which was added after receiving feedback exactly like yours. If
it's not there, there's an open SPR for it. However, even if there isn't an
"other" option, as you suggested choosing ADFS or TFIM from the drop-down
won't prevent you from importing a different IdP's XML metadata file.
idpcat template which was added after receiving feedback exactly like yours. If
it's not there, there's an open SPR for it. However, even if there isn't an
"other" option, as you suggested choosing ADFS or TFIM from the drop-down
won't prevent you from importing a different IdP's XML metadata file.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy David Kern on 03/16/2013 at 10:52 AM EDT
Hi Andrew,
The Notes ID vault requirement that you mentioned in point 2 is for Notes
Federated Login, a new feature that provides Notes client SSO functionality
similar to Notes Shared Login, but that supports Citrix and non-Windows
platforms as well.
The vault is not required for Web Federated Login.
Thanks,
dave
The Notes ID vault requirement that you mentioned in point 2 is for Notes
Federated Login, a new feature that provides Notes client SSO functionality
similar to Notes Shared Login, but that supports Citrix and non-Windows
platforms as well.
The vault is not required for Web Federated Login.
Thanks,
dave
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/16/2013 at 12:43 PM EDT
What about the requirement to have userid and person documents in place for
anyone who will authenticate with SAML?
anyone who will authenticate with SAML?
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy David Kern on 03/16/2013 at 12:54 PM EDT
I suspect that the person document is used for name mapping purposes in order
to convert from RFC 821-style names (foo@example.com) to Notes DNs and
nameslists likely to be found in ACLs, but I'll have to check and get back to
you on that one.
Would you prefer to configure the IdP to place the Notes DN and nameslist in
the SAML assertion, or to place RFC 821 names into the relevant ACLs on the
Domino server?
to convert from RFC 821-style names (foo@example.com) to Notes DNs and
nameslists likely to be found in ACLs, but I'll have to check and get back to
you on that one.
Would you prefer to configure the IdP to place the Notes DN and nameslist in
the SAML assertion, or to place RFC 821 names into the relevant ACLs on the
Domino server?
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/16/2013 at 01:23 PM EDT
That depends on the implementation.
In once case I wrote, we use data from the assertion to crate an "OU" that we
include on the userid we generate the ltpa token for. We also, as a matter of
policy, automatically put any user authenticated this way into a specific /Org
so that the possibility of the IdP generating a login path that is an
administrator on the system is removed.
In one case, we modified the $ServerAccess view to include the "@" symbol so
that userids with that symbol were valid and could be used for groups.
In many cases, we use a background process to sync user meta data ahead of time
so that groups can be pre-populated.
In once case I wrote, we use data from the assertion to crate an "OU" that we
include on the userid we generate the ltpa token for. We also, as a matter of
policy, automatically put any user authenticated this way into a specific /Org
so that the possibility of the IdP generating a login path that is an
administrator on the system is removed.
In one case, we modified the $ServerAccess view to include the "@" symbol so
that userids with that symbol were valid and could be used for groups.
In many cases, we use a background process to sync user meta data ahead of time
so that groups can be pre-populated.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy David Kern on 03/18/2013 at 02:00 PM EDT
My previous assumption was correct - browser users can authenticate to the
Domino web server via SAML without a person document. Their session will
contain the name from the SAML assertion, which probably won't match any ACL
entries, leaving them only able to access public resources. You could also pull
tricks with Directory Assistance to perform the name mapping in an external
LDAP directory if you so chose. This behavior would be similar to a DSAPI
filter authenticating a user who doesn't have a person document.
Domino web server via SAML without a person document. Their session will
contain the name from the SAML assertion, which probably won't match any ACL
entries, leaving them only able to access public resources. You could also pull
tricks with Directory Assistance to perform the name mapping in an external
LDAP directory if you so chose. This behavior would be similar to a DSAPI
filter authenticating a user who doesn't have a person document.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/18/2013 at 06:59 PM EDT
Thanks. this helps.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Thomas Adrian on 03/16/2013 at 11:50 AM EDT
If you want Domino users, Active Directory users, facebook, twitter or linkedin
users sharing content together take a look at intrapages.
With intrapages you do not need any setup on the Domino server and you can
setup different instances for different people.
http://www.intrapages.com
http://intrpages.openntf.org
users sharing content together take a look at intrapages.
With intrapages you do not need any setup on the Domino server and you can
setup different instances for different people.
http://www.intrapages.com
http://intrpages.openntf.org
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/16/2013 at 02:00 PM EDT
Cool. I was thinking along the same lines. I could use their xpages control
to do the oauth authorization, and they have the rest of the app just log them
into domino using my own code once that had been done.
I'm glad someone finished their work for them.
to do the oauth authorization, and they have the rest of the app just log them
into domino using my own code once that had been done.
I'm glad someone finished their work for them.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Jane Marcus on 03/18/2013 at 05:58 PM EDT
Hi Andrew,
Thanks for trying the software!
About your points:
1. There is no generic UI available to configure a SAML IdP other than TFIM or
ADFS, but sometimes the UI can properly set up a partnership with another
vendor's implementation. In the future, we hope to expand the support matrix.
If you give it a try with another vendor's IdP, please let us know if it works
(or doesn't)!
2. The Domino web server can use SAML authentication without any id vault in
the architecture. IBM has 2 other features that use SAML with the id vault,
but the basic Domino web server does not require id vault.
3. The Domino web server doesn't require the user to have a Notes ID and Person
Document on the server. In general, having a Notes ID is optional, depending
on the security features needed by the user. Instead of a Person document on
the server, the Domino web server can point to an LDAP directory that contains
user records. Domino will lookup the user's email address in the user's SAML
assertion. The LDAP directory containing the user's record might also contain
the user's Notes name that would appear on Domino Access Control Lists. If
there is no directory record found for the user, then the user's access to
Domino resources depends on the permissions given in the resource's Access
Control List.
Hope this helps to clarify.
Thanks for trying the software!
About your points:
1. There is no generic UI available to configure a SAML IdP other than TFIM or
ADFS, but sometimes the UI can properly set up a partnership with another
vendor's implementation. In the future, we hope to expand the support matrix.
If you give it a try with another vendor's IdP, please let us know if it works
(or doesn't)!
2. The Domino web server can use SAML authentication without any id vault in
the architecture. IBM has 2 other features that use SAML with the id vault,
but the basic Domino web server does not require id vault.
3. The Domino web server doesn't require the user to have a Notes ID and Person
Document on the server. In general, having a Notes ID is optional, depending
on the security features needed by the user. Instead of a Person document on
the server, the Domino web server can point to an LDAP directory that contains
user records. Domino will lookup the user's email address in the user's SAML
assertion. The LDAP directory containing the user's record might also contain
the user's Notes name that would appear on Domino Access Control Lists. If
there is no directory record found for the user, then the user's access to
Domino resources depends on the permissions given in the resource's Access
Control List.
Hope this helps to clarify.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 03/18/2013 at 07:00 PM EDT
Thank you. I'll roll this up into the presentation I'm giving at BLUG later
this week. These points make your SAML implementation far more likely to be
useful. It nearly matches mine. :-)
I do have a few suggestions for you on the security front. I'll email them to
you so as not to spread ideas around.
Right now I'm in an airport waiting to board a plane so it will need to wait.
this week. These points make your SAML implementation far more likely to be
useful. It nearly matches mine. :-)
I do have a few suggestions for you on the security front. I'll email them to
you so as not to spread ideas around.
Right now I'm in an airport waiting to board a plane so it will need to wait.
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Mark Demicoli on 12/13/2013 at 11:42 AM EST
Any word on whether SAML works with other than TFIM & ADFS? It it just a
matter of entering a correct Single-signin Service URL in the idP config?
thanks!
matter of entering a correct Single-signin Service URL in the idP config?
thanks!
re: Looking at SAML and OAUTH in the Notes and Domino 9 Public BetaBy Andrew Pollack on 12/14/2013 at 01:27 PM EST
Unofficially, I'm told it should work with others and you'll see more options
as the server revs. Generally, I would try the TDS setting first as most SAML
sites are going to be based on the open source java.
as the server revs. Generally, I would try the TDS setting first as most SAML
sites are going to be based on the open source java.
Other Recent Stories...
- 01/26/2023Better Running VirtualBox or VMWARE Virtual Machines on Windows 10+ Forgive me, Reader, for I have sinned. I has been nearly 3 years since my last blog entry. The truth is, I haven't had much to say that was worthy of more than a basic social media post -- until today. For my current work, I was assigned a new laptop. It's a real powerhouse machine with 14 processor cores and 64 gigs of ram. It should be perfect for running my development environment in a virtual machine, but it wasn't. VirtualBox was barely starting, and no matter how many features I turned off, it could ......
- 04/04/2020How many Ventilators for the price of those tanks the Pentagon didn't even want?This goes WAY beyond Trump or Obama. This is decades of poor planning and poor use of funds. Certainly it should have been addressed in the Trump, Obama, Bush, Clinton, Bush, and Reagan administrations -- all of which were well aware of the implications of a pandemic. I want a military prepared to help us, not just hurt other people. As an American I expect that with the ridiculous funding of our military might, we are prepared for damn near everything. Not just killing people and breaking things, but ......
- 01/28/2020Copyright Troll WarningThere's a copyright troll firm that has automated reverse-image searches and goes around looking for any posted images that they can make a quick copyright claim on. This is not quite a scam because it's technically legal, but it's run very much like a scam. This company works with a few "clients" that have vast repositories of copyrighted images. The trolls do a reverse web search on those images looking for hits. When they find one on a site that looks like someone they can scare, they work it like ......
- 03/26/2019Undestanding how OAUTH scopes will bring the concept of APPS to your Domino server
- 02/05/2019Toro Yard Equipment - Not really a premium brand as far as I am concerned
- 10/08/2018Will you be at the NYC Launch Event for HCL Domino v10 -- Find me!
- 09/04/2018With two big projects on hold, I suddenly find myself very available for new short and long term projects.
- 07/13/2018Who is HCL and why is it a good thing that they are now the ones behind Notes and Domino?
- 03/21/2018Domino Apps on IOS is a Game Changer. Quit holding back.
- 02/15/2018Andrew’s Proposed Gun Laws
Person Document on the server. None of the sites I've worked with so far
operate this way. The whole point to having someone else responsible for
authentication is to avoid this."
I had not read this and it makes no sense whatsoever, why use SAML if the SP
still has to manage credentials. Ridiculous!