Build a Collaborative framework for your business applications with Communities

by Wannes Rams

Slide 1

Slide 1 text

Build a Collaborative framework for your business applications with HCL Connections Communities

Slide 2

Slide 2 text

Urs Meli • Senior Software Engineer @Belsoft Collaboration • @umeli • [email protected] • Paraglider Wannes Rams • Senior Cloud Architect @ISW • HCL Ambassador • Organiser @Let’sConnect • @wannesrams • [email protected] • Table Tennis • Travel

Slide 3

Slide 3 text

Agenda • Introduction • Demo • How to implement the user interface • How to implement the tricky stuff

Slide 4

Slide 4 text

Why are we showing this • Your tools are fragmented • No central place to go • Communities are core to your business • HCL Connections got your back

Slide 5

Slide 5 text

Demo

Slide 6

Slide 6 text

Front End: How to • App Registry • HighLights widgets • Iframes • Navigation cleanup

Slide 7

Slide 7 text

App Registry • Easiest for embedding • Can be used in classic and higlights • Additional features available

Slide 8

Slide 8 text

Example Volt Application • Only needs URL • Width / Height set to 100% • Black / Whitelisting per: • User • Email • Regex • url

Slide 9

Slide 9 text

Highlights Widgets • Add custom widgets in the Highlights widget bar • Can only be used in Highlights

Slide 10

Slide 10 text

Highlights Widgets: Huddo Boards example

Slide 11

Slide 11 text

iFrame • Not recommended • Little controls • Only for internal sites / Same domain name or sites you can control

Slide 12

Slide 12 text

Navigation cleanup • Using an App Registry application • Inject CSS and Javascript

Slide 13

Slide 13 text

Navigation cleanup

Slide 14

Slide 14 text

Navigation cleanup

Slide 15

Slide 15 text

Caution ! More Technical parts ahead • Journey from plain Connections to Connections with SSO

Slide 16

Slide 16 text

New Loginpage for Connections Keycloak / IDP HCL Connections OIDC

Slide 17

Slide 17 text

Keycloak • OpenSource Identity and Access Managment: https://www.keycloak.org • Why Keycloak? Connections Multi Tenant requirement => We already had positive experience with it, and it’s free. • Increased Security: • Brute Force Detection • MultiFactor Authentication: • OTP Authenticator • WebAuthN

Slide 18

Slide 18 text

Connections Support for OIDC • OIDC is part of WebSphere Security • Connections needs only minor adjustments • Desktop plugin and mobile work • Keycloak can be replaced by any other OIDC capable identity provider

Slide 19

Slide 19 text

What else ? Connect Domino Servers Keycloak / IDP HCL Connections Domino Webapp Domino Volt Verse SAML OIDC SAML SAML

Slide 20

Slide 20 text

Why ? • Same Login experience • Same Security Settings • Works across domains

Slide 21

Slide 21 text

Setup Domino with SAML • 1. Create an Internet Site • 2. Export Identity Provider Metadata from Keycloak and import it in idpcat.nsf • 3. Export the Service Provider Metadata from idpcat and import it in Keycloak • 4. Set any additional mapping

Slide 22

Slide 22 text

Internet Site – SAML enabled Once the Internet Site exists. Hit the «Open IdP Configuration» button to open the idpcat.nsf file. If it does not exist, create it.

Slide 23

Slide 23 text

Create IDP Config – 1/3 • Identity Provider Metadata is located in https://[host]/auth/realms/[realm]/protocol/saml/descriptor • Import that file into a new Idp Configuration document

Slide 24

Slide 24 text

Create IDP Config 2/3 • Select the internet site • Check the Service Provider ID – needs to be consistent with the client ID in Keycloak

Slide 25

Slide 25 text

Create IDP Config 3/3 • Create and export the ServiceProvider Metadata • Give it a unique Company name, then export the xml and save the attached ServiceProvider.xml

Slide 26

Slide 26 text

Keycloak client definition for Domino • Create a new client and import the ServiceProvider.xml • Verify the redirect URIs and client ID • Tricky part - Name ID Format: use email or username, defines which property from a keycloak user is used to match a Domino user • There are SAML-Tracer plugins for FireFox and Chrome available which help with debugging

Slide 27

Slide 27 text

Summary • Connections, Domino WebApps, Volt, Verse all use the same login now • Authentication is handled by Keycloak

Slide 28

Slide 28 text

Where are the Credentials? • Domino? AD? IBM-DS? OpenLDAP? Database ? Keycloak ?

Slide 29

Slide 29 text

What’s next ? M365 ? Keycloak / IDP M365 Login Page HCL Connections Domino Webapp Domino Volt Verse OIDC SAML SAML SAML SAML

Slide 30

Slide 30 text

Slide 31

Slide 31 text

Why would you do that ? • Login to HCL Connections, Verse, Xpages Apps, Volt with your M365 Account

Slide 32

Slide 32 text

Using M365 as Identity Provider • Create an «App registration» and download the FederationMetadata.xml from Azure • Create Identity Broker in keycloak and import the FederationMetadata.xml and export the ServiceProvider.xml • In Azure, create a new application «Azure AD SAML Toolkit» and import the ServiceProvider.xml • Make sure that the email address arrives at keycloak.

Slide 33

Slide 33 text

Azure 1/2 – FederationMetadata.xml

Slide 34

Slide 34 text

Azure 2/2 - FederationMetadata.xml

Slide 35

Slide 35 text

Keycloak add new SAML Identity Provider • Import the FederationMetadata.xml file • Once the identity provider has been saved, download the ServiceProvider.xml

Slide 36

Slide 36 text

Azure AD 1/3 - Import ServiceProvider.xml

Slide 37

Slide 37 text

Azure AD 2/3 – Import ServiceProvider.xml

Slide 38

Slide 38 text

Azure AD 3/3 – import ServiceProvider.xml

Slide 39

Slide 39 text

Result so far… • We now have a «Login with M365» button

Slide 40

Slide 40 text

Everybody has M365 Account • Keycloak allows automatic redirect to the M365 as shown in the demo Keycloak / IDP M365 Login Page HCL Connections OIDC SAML

Slide 41

Slide 41 text

Why add Keycloak then ? • M365 supports OIDC and SAML. It’s be possible to connect Connections and Domino servers directly to M365 • It has been easier for us to setup Keycloak in a test environment • As Connections or Domino Admins, we don’t want to mess up the Azure AD J

Slide 42

Slide 42 text

What’s next ? Keycloak / IDP M365 Login Page HCL Connections Domino Webapp Domino Volt Verse Other Apps PowerBI Power Apps SAML/OIDC

Slide 43

Slide 43 text

Other Apps • Every WebApp that supports SAML 2.0 or OIDC/OAUTH • Grafana • Gitlab • SugarCRM • HubSpot • Zoho • Salesforce • Citrix Netscaler • Atlassian Jira • …

Slide 44

Slide 44 text

Is it that easy ? • Setting up authentication is simple as long as the app is able to handle either OIDC or SAML 2 • Display app content can be done in 2 ways. Custom Widget or iFrame. Troubles ahead: • XSS • Custom Widget = Development and CORS • iFrame = Frameoptions / sandbox / Content-Security-Policies

Slide 45

Slide 45 text

Links • Keycloak: https://www.keycloak.org • IBM Documentation on OIDC: https://www.ibm.com/docs/en/was-nd/8.5.5?topic=users-configuring-openid-connect-relying-party • OIDC requires WAS 8.5.5.21 or an ifix: https://www.ibm.com/support/pages/node/6513845 • HCL Connections and Keycloak: https://opensource.hcltechsw.com/connections-doc/v7/keycloak_authentication_sso/keycloak_auth_sso.html • Domino SAML authenticaton: https://help.hcltechsw.com/domino/12.0.0/admin/secu_configuring_nonfederated_saml_authentication.html • HCL Connections App Registry https://github.com/hclcnx/customizer/blob/master/docs/HCLConnectionsCustomizer.md • Creating a custom ICEC widget https://help.hcltechsw.com/connections/v7/connectors/icec/cec-custom-widget-api.html • Custom Huddo Boards ICEC widget https://docs.huddo.com/boards/connections/widgets-on-prem/ • Enabling single sign-on with OIDC for Microsoft Azure AD https://help.hcltechsw.com/connections/v7/admin/secure/c_azure_oidc_container.html