Copyright © 2021 HCL Technologies Limited | www.hcltech.com Domino, Active Directory Synchronization and Single Sign On Explained Hosted by: Keith Brooks & Heather Hottenstein

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com 2

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Keith Brooks CEO B2B Whisperer keith@b2bwhisperer.com HCL Ambassador, IBM Champion Dabbling in Notes & Domino Administration for 30 years Really misses Quickr & Domino.Doc https://blog.vanessabrooks.com Twitter: @Lotusevangelist 3

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com Heather Hottenstein Technical Advisor HCL Software 4

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com Directories X.500 - 1988 Notes Name & Address Book – 1989 Netware Directory Services – 1993 Active Directory – 2000 5

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Multiple systems – Multiple Problems Administrators have to register people, manage groups in multiple places Users have to remember multiple user names and passwords 6

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com AD Domino Data Synchronization Domino v11 • People • Groups Domino 12 • Passwords 7 Password Synchronization is NOT Single Sign On!

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com Directory Sync (R12) ”This feature replaces the older Active Directory Synchronization feature, which is now deprecated. The new Directory Sync feature is a simpler, more effective synchronization tool.” -https://help.hcltechsw.com/domino/12.0.0/admin/conf_adsync.html Directory Sync includes the following components: 1. LDAP Directory Assistance document created in a Directory Assistance (da.nsf) database that is enabled for Directory Sync. 2. Directory Sync Configuration document created in the Directory Sync view of the Domino directory. This document controls which Active Directory fields to sync with Domino along with some other options. 3. The server task, Dirsync, that runs only on the Domino administration server, that connects to the Active Directory server regularly to pull person and group changes into the Domino directory. 4. The ability to register Active Directory users in Domino. 5. The ability for administrators to rename registered Domino users when their names change in Active Directory. NOTE: You must approve the Administration Request in the admin4.nsf as usual. 8

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Directory Sync Components LDAP directory assistance document – da.nsf Directory Sync Configuration document – names.ns DirSync – Domino administration server server task Ability to register AD users in Domino Ability to rename registered Domino users

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com LDAP directory assistance document – da.nsf 10 Pro Tip Confirm Domino server can connect to AD server before starting

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com Directory Sync Configuration document – names.nsf 11

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Dir Sync Task Load dirsync ServerTasks=Replica,Router,Update,Adminp,HTTP,DirSync 12 Pro Tip Use Configuration Document for notes.ini

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com Operational Attributes AD Person & Group Documents in names.nsf • objectGUID - A hex representation of the Active Directory internal attributes called the same name (objectGUID). Similar to a Domino UNID it is an attribute that never changes, even for renames or moves • $$DirsyncDigest - A digest of all the dirsync config options. This is used to invalidate the document in the event that options change. • $$DirsyncDomain - The Domain name in the Dirsync Config doc that created the document. It is essentially a “tag” indicating the source it came from. Again this is use to invalidate documents along with the digest • $$LDAPDN - This is the exact Active Directory (LDAP) Distinguished name ( eg. "CN=Von Mayo,OU=Generated Users,DC=pnpdomadtest,DC=com“). This is used to help map an LDAPDN to a regular Notes DN. 13

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com New Views – names.nsf $$LDAPGUID – A view which is used to find a Domino record by objectGUID $$LDAPDN – View used to find the NotesDN of a given AD LDAPDN 14

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com Registering Active Directory users in Domino 15 When you use Directory Sync, you can register Active Directory users in Domino to create mail files and Notes IDs for them. 1.From the Domino Administrator, click the People & Groups tab. 2.Select the names of the Active Directory user or users to register. 3.Right-click and select Register Selected Person. 4.When you see the prompt ”Use the current Active Directory contact record for” user, click Yes. NOTE: If you are registering multiple users, after you enter the certifier password, you ar continually prompted for the next user in the selected list and their names are pre-filled in the dialog.

Copyright © 2021 HCL Technologies Limited | www.hcltech.com New Users Active Directory -> Domino Register

Copyright © 2021 HCL Technologies Limited | www.hcltech.com User Renames Non-registered • Active Directory –> Person document Registered • Active Directory -> AdminP 17

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com Groups • Global Security Group –> ACL Only • Global Distribution Group –> Mail Only

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Deletions Full Synchronization 19 Non Registered Users Groups Registered Users

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Active Directory Password Synchronization Applies the Windows passwords of users registered in an Active Directory domain to their Domino HTTP and/or Notes ID passwords. This is useful for environments that do not use SAML authentication and want to unlock Notes IDs and apply their Active Directory passwords. Note: Domino’s method of obtaining the Active Directory password through a Microsoft API is the only secure method available. The LDAP protocol can not be used for this purpose. Password synchronization is supported for: •Registered HCL Notes, HCL Nomad, HCL Verse, and HCL iNotes users accessing Domino servers with HTTP passwords or Notes IDs. •Web users who are not registered in Domino but who have Person documents in the Domino directory used for accessing Domino web applications with HTTP passwords.

Copyright © 2021 HCL Technologies Limited | www.hcltech.com AD Controller Password Sync Components • Domino Utility server registered and installed • Note: Does not run, but does get setup • Domino Configuration Directory • Directory Assistance Database (New) • Domino Password Library (npwsync.dll) • Request Creator (names.nsf) • Password Change Request Database - adpwsync.nsf

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Domino Domain Server Password Sync Components • Request Processor (names.nsf) • Configuration Settings document (names.nsf) • Password Change Request Database - adpwsync.nsf • Directory Assistance Database (New) • ID Vault

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com Domino Directory Documents 23

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com Password Flow – AD Controller Local Security Authority ➢ Processes password change in AD ➢ Passes user name and password to Domino Password Library Domino Password Library ➢ Finds objectGUID from user’s AD document ➢ Uses Directory Assistance database to find objectGUID in Domino Directory ➢ Creates document in Password Change Request database that contains the objectGUID and password ➢ Copies document to Request Processor’s Password Change Request database 24

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com Password Flow - Domino Request Processor Server sees new request ➢ Uses objectGUID to find Person document in names.nsf ➢ Updates Internet Password in Person document in names.nsf of administration server ➢ Updates Notes ID Password in ID Vault NOTE: All passwords can be synced except ones that begin with an open parentheses. For example, the password: (mypassword cannot be synced 25 All passwords can be synced except ones that begin with an open parentheses. For example, the password (mypassword cannot be synced.

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com Password Sync… Is NOT Single Sign On The Notes Client Single Logon feature is deprecated in Domino 12, but if it is used on pre-Notes 12 clients, it is not compatible with password synchronization. HCL Nomad mobile users can benefit from this as can disconnected, offline users who can't connect to an Active Directory domain controller. But what you really want is …. SAML 26

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com SAML https://help.hcltechsw.com/domino/12.0.0/admin/secu_using_security_assertion_markup_language_saml_to_configure_federated_identity_ authentication_t.html Security Assertion Markup Language (SAML) is used to configure federated-identity authentication Federated identity achieves single sign-on and reduces administrative costs. SAML authentication allows a user to authenticate once with a designated identity provider (IdP), after which the user can access any server that is partnered with the IdP. Both Notes client and web client users can make use of SAML-based authentication. The IdP determines the method of the one-time authentication; it might prompt the user for a password, or use a non-password authentication methods such as Integrated Windows authentication (SPNEGO/Kerberos) for users within an intranet. Domino includes support for SAML 2.0 AuthNRequest-capable IdPs. Domino has been tested with Microsoft Active Directory Federated Services (ADFS). ADFS versions 3, 4 and 5 are supported with Domino. 27

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com When To Use SAML There are four cases in which your organization may need SAML authentication configurations. 1. For Notes client users on Windows, Mac or Citrix, SAML authentication can be configured to authenticate users to the ID vault. With this configuration, when users launch the Notes client, they are presented with a login page from the IdP to authenticate and download their IDs from the ID Vault. This configuration is referred to as Notes Federated Login (NFL). 2. For Notes client users on Windows or Citrix whose operating systems are joined to a Microsoft Active Directory domain, SAML authentication can facilitate a single-sign on solution, with Active Directory Federated Services (ADFS) configured for Integrated Windows authentication (IWA). • SAML authentication at Notes client startup is referred to as Notes federated login with Integrated Windows Authentication (IWA). • The HTTP server task does not need to be run on the Domino vault server, because the HTTP portion of SAML is handled within the Notes client. 3. For web client users such as HCL iNotes users or HCL Verse users, SAML authentication also facilitates a single-sign on solution in which the user’s ID file is downloaded from the Notes ID vault. • This type of SAML authentication is referred to as Web federated login and allows iNotes or Verse users to use secure mail operations. 4. For users of other applications on Web servers, SAML-based single sign-on is an alternative to another method of single sign-on (SSO) already available in Domino: multi-session server authentication. • SAML is most useful when your Domino environment includes third-party Web applications whose services your users access, or if multi-session server authentication is too limiting for your organization -- for example if the target environment requires SSO across DNS domains. 28

Copyright © 2021 HCL Technologies Limited | www.hcltech.com Questions Keith Brooks – keith@b2bwhisperer.com Heather Hottenstein – heather.hottenstein@hcl.com 29

Copyright © 2021 HCL Technologies Limited | www.hcltech.com WATCH THE FILM $8.4 BILLION ENTERPRISE | 132,000 IDEAPRENEURS | 44 COUNTRIES