Introduction
For users who want to deploy and experience the Notes federated login (federate login), the first thing to know and understand is that the Notes federated login is actually through SAML (Security Assertion Markup Language, assertion Markup Language) to complete the single sign on feature, if the user is also able to understand the "federated identity", will have a great help in configuring a Notes Federation login, because a step is required to implement the federated identity during the configuration deployment process. The following will introduce both SAML and federated identities to guide users into the Notes Federation login area, and to understand and know how to deploy and use the IBM domino/notes 9.0 new features by introducing the Notes Federation login principle and the description of the instance application: Notes Federal Login Recorded.
Notes Federal Login Related nouns Introduction
Conceptually, the Notes federated login is part of the single sign-on category. There are many ways to achieve a single sign-on, and a single sign-on via SAML is one of the methods that is currently popular. The implementation of the Notes Federation login is also inseparable from SAML. In addition, in order to better understand the Notes federated login, it is necessary to know a noun before starting to deploy the Notes Federated login: Federated identity.
SAML vs. Single sign-on
SAML, which provides a robust and extensible set of data formats, in other words, SAML is an XML framework, a set of protocols and specifications. This XML framework/Protocol/specification for SAML enables the exchange of data and identity information in a variety of environments (which can be used to transmit enterprise user identity cards).
Single sign-on, referred to as SSO. SSO is defined in multiple application systems where users can access all trusted applications with only one login. While many products offer WEB single sign-on, a standard is needed to make this delivery possible across different products, which is also a domain of SAML concerns.
There are two roles in the SAML protocol standard: One is Identity Provider (IDP), usually IDP is responsible for creating, maintaining, and managing user authentication; One is the service Provider (SP), where the SP controls whether the user is able to use the services and resources provided by the SP Source. In the configuration deployment below, we can see the relevant description.
Federal identity
Federated identity, which can satisfy the definition of SAML. It is defined as federated identity that combines the same user data from individual data sources. This definition is well understood, as in the example application below, we combine domain Users with IBM Notes user data, a unique domain user and an IBM Notes user, and we combine that user's data to enable the domain user to log in to the domain You can also log on to access and use the resources in IBM notes without using this domain user's corresponding IBM Notes user name and password. Or, in the example application below, we will implement the use of domain users to log in to IBM Notes and authenticate to connect and use IBM Domino Server resources.
Notes Federated Login Principle
Notes Federated Login, we can use the following text simple to describe: the user through a set of username and password on the designated IDP through authentication, users can access any of the IDP-partnered relationship with the SP server (the entire process based on SAML). The understanding of IdP and SP is described in the previous section. In the example application in the following section, the IdP side refers to the AD FS 2.0 provided by Windows Server 2008 R2, which refers to the IBM Domino Server.
The IBM Notes client leverages the SAML authentication mechanism and relies on the XML identity assertion (XML identity assertions) to complete the Notes Federation login. The central content of this chapter-notes the federated login principle, which can be understood by combining the following text with the following figure (Figure 1).
As shown in the figure, the user first logs on to the IBM Notes client and wants to access the corresponding SP:IBM Domino Server. In IBM Domino Server, there is an IdP directory application (IDPCAT.NSF) that accepts access requests from clients and sets the content in the document based on the configured IdP in the application, transferring the logon request and the logon user information (in SAML framework) to I DP server, in which the IdP confirms that the user is able to access resources on the SP server. When the IDP obtains the information, it sends the confirmed information in the same way to the IDP directory Application (IDPCAT.NSF) in IBM Domino server to determine whether IBM Domino server should trust the SAML assertion from the specified IdP ( The IDP directory application stores the public key of the specified IDP to determine whether the SAML assertion is from the specified IDP. IBM Domino Server Determines whether to allow users access to resources on this server based on the SAML assertion information that is returned.
Figure 1. Notes Federated Login