Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Build a Collaborative framework for your business applications with Communities

Build a Collaborative framework for your business applications with Communities

In this session we will show you business applications from different systems brought together under the collaborative umbrella of a Connections Community. Discuss, talk, engage around the applications that drive your business in context inside communities. Build small collaborative eco systems that drives people and the business forward.
We will also show you how to do this. Using Keycloak as an IdP you can login to connections using your Office 365 credentials, bring in applications from the Microsoft world on top of the already existing integrations. We will connect to HCL Domino backends to bring HCL Domino and HCL Volt applications alive inside Communities. And lastly we will show how to add an application from any external system that talks SAML or OIDC.
This session will have a non-technical and technical part so all are welcome to join.

Presented with Urs Meli at the Engage conference 2022

Bed1456f02760fb40981e6fb7c028886?s=128

Wannes Rams

May 30, 2022
Tweet

More Decks by Wannes Rams

Other Decks in Technology

Transcript

  1. Build a Collaborative framework for your business applications with HCL

    Connections Communities
  2. Urs Meli • Senior Software Engineer @Belsoft Collaboration • @umeli

    • urs.meli@belsoft.ch • Paraglider Wannes Rams • Senior Cloud Architect @ISW • HCL Ambassador • Organiser @Let’sConnect • @wannesrams • wannes@isw.net.au • Table Tennis • Travel
  3. Agenda • Introduction • Demo • How to implement the

    user interface • How to implement the tricky stuff
  4. Why are we showing this • Your tools are fragmented

    • No central place to go • Communities are core to your business • HCL Connections got your back
  5. Demo

  6. Front End: How to • App Registry • HighLights widgets

    • Iframes • Navigation cleanup
  7. App Registry • Easiest for embedding • Can be used

    in classic and higlights • Additional features available
  8. Example Volt Application • Only needs URL • Width /

    Height set to 100% • Black / Whitelisting per: • User • Email • Regex • url
  9. Highlights Widgets • Add custom widgets in the Highlights widget

    bar • Can only be used in Highlights
  10. Highlights Widgets: Huddo Boards example

  11. iFrame • Not recommended • Little controls • Only for

    internal sites / Same domain name or sites you can control
  12. Navigation cleanup • Using an App Registry application • Inject

    CSS and Javascript
  13. Navigation cleanup

  14. Navigation cleanup

  15. Caution ! More Technical parts ahead • Journey from plain

    Connections to Connections with SSO
  16. New Loginpage for Connections Keycloak / IDP HCL Connections OIDC

  17. Keycloak • OpenSource Identity and Access Managment: https://www.keycloak.org • Why

    Keycloak? Connections Multi Tenant requirement => We already had positive experience with it, and it’s free. • Increased Security: • Brute Force Detection • MultiFactor Authentication: • OTP Authenticator • WebAuthN
  18. Connections Support for OIDC • OIDC is part of WebSphere

    Security • Connections needs only minor adjustments • Desktop plugin and mobile work • Keycloak can be replaced by any other OIDC capable identity provider
  19. What else ? Connect Domino Servers Keycloak / IDP HCL

    Connections Domino Webapp Domino Volt Verse SAML OIDC SAML SAML
  20. Why ? • Same Login experience • Same Security Settings

    • Works across domains
  21. Setup Domino with SAML • 1. Create an Internet Site

    • 2. Export Identity Provider Metadata from Keycloak and import it in idpcat.nsf • 3. Export the Service Provider Metadata from idpcat and import it in Keycloak • 4. Set any additional mapping
  22. Internet Site – SAML enabled Once the Internet Site exists.

    Hit the «Open IdP Configuration» button to open the idpcat.nsf file. If it does not exist, create it.
  23. Create IDP Config – 1/3 • Identity Provider Metadata is

    located in https://[host]/auth/realms/[realm]/protocol/saml/descriptor • Import that file into a new Idp Configuration document
  24. Create IDP Config 2/3 • Select the internet site •

    Check the Service Provider ID – needs to be consistent with the client ID in Keycloak
  25. Create IDP Config 3/3 • Create and export the ServiceProvider

    Metadata • Give it a unique Company name, then export the xml and save the attached ServiceProvider.xml
  26. Keycloak client definition for Domino • Create a new client

    and import the ServiceProvider.xml • Verify the redirect URIs and client ID • Tricky part - Name ID Format: use email or username, defines which property from a keycloak user is used to match a Domino user • There are SAML-Tracer plugins for FireFox and Chrome available which help with debugging
  27. Summary • Connections, Domino WebApps, Volt, Verse all use the

    same login now • Authentication is handled by Keycloak
  28. Where are the Credentials? • Domino? AD? IBM-DS? OpenLDAP? Database

    ? Keycloak ?
  29. What’s next ? M365 ? Keycloak / IDP M365 Login

    Page HCL Connections Domino Webapp Domino Volt Verse OIDC SAML SAML SAML SAML
  30. Login Delegation Keycloak / IDP M365 Login Page HCL Connections

    OIDC SAML
  31. Why would you do that ? • Login to HCL

    Connections, Verse, Xpages Apps, Volt with your M365 Account
  32. Using M365 as Identity Provider • Create an «App registration»

    and download the FederationMetadata.xml from Azure • Create Identity Broker in keycloak and import the FederationMetadata.xml and export the ServiceProvider.xml • In Azure, create a new application «Azure AD SAML Toolkit» and import the ServiceProvider.xml • Make sure that the email address arrives at keycloak.
  33. Azure 1/2 – FederationMetadata.xml

  34. Azure 2/2 - FederationMetadata.xml

  35. Keycloak add new SAML Identity Provider • Import the FederationMetadata.xml

    file • Once the identity provider has been saved, download the ServiceProvider.xml
  36. Azure AD 1/3 - Import ServiceProvider.xml

  37. Azure AD 2/3 – Import ServiceProvider.xml

  38. Azure AD 3/3 – import ServiceProvider.xml

  39. Result so far… • We now have a «Login with

    M365» button
  40. Everybody has M365 Account • Keycloak allows automatic redirect to

    the M365 as shown in the demo Keycloak / IDP M365 Login Page HCL Connections OIDC SAML
  41. Why add Keycloak then ? • M365 supports OIDC and

    SAML. It’s be possible to connect Connections and Domino servers directly to M365 • It has been easier for us to setup Keycloak in a test environment • As Connections or Domino Admins, we don’t want to mess up the Azure AD J
  42. What’s next ? Keycloak / IDP M365 Login Page HCL

    Connections Domino Webapp Domino Volt Verse Other Apps PowerBI Power Apps SAML/OIDC
  43. Other Apps • Every WebApp that supports SAML 2.0 or

    OIDC/OAUTH • Grafana • Gitlab • SugarCRM • HubSpot • Zoho • Salesforce • Citrix Netscaler • Atlassian Jira • …
  44. Is it that easy ? • Setting up authentication is

    simple as long as the app is able to handle either OIDC or SAML 2 • Display app content can be done in 2 ways. Custom Widget or iFrame. Troubles ahead: • XSS • Custom Widget = Development and CORS • iFrame = Frameoptions / sandbox / Content-Security-Policies
  45. Links • Keycloak: https://www.keycloak.org • IBM Documentation on OIDC: https://www.ibm.com/docs/en/was-nd/8.5.5?topic=users-configuring-openid-connect-relying-party

    • OIDC requires WAS 8.5.5.21 or an ifix: https://www.ibm.com/support/pages/node/6513845 • HCL Connections and Keycloak: https://opensource.hcltechsw.com/connections-doc/v7/keycloak_authentication_sso/keycloak_auth_sso.html • Domino SAML authenticaton: https://help.hcltechsw.com/domino/12.0.0/admin/secu_configuring_nonfederated_saml_authentication.html • HCL Connections App Registry https://github.com/hclcnx/customizer/blob/master/docs/HCLConnectionsCustomizer.md • Creating a custom ICEC widget https://help.hcltechsw.com/connections/v7/connectors/icec/cec-custom-widget-api.html • Custom Huddo Boards ICEC widget https://docs.huddo.com/boards/connections/widgets-on-prem/ • Enabling single sign-on with OIDC for Microsoft Azure AD https://help.hcltechsw.com/connections/v7/admin/secure/c_azure_oidc_container.html