Build a Collaborative framework for your business applications with Communities

Transcript

1. Build a Collaborative framework for your business applications with HCL

   Connections Communities

2. Urs Meli • Senior Software Engineer @Belsoft Collaboration • @umeli

   • [email protected] • Paraglider Wannes Rams • Senior Cloud Architect @ISW • HCL Ambassador • Organiser @Let’sConnect • @wannesrams • [email protected] • Table Tennis • Travel

3. Agenda • Introduction • Demo • How to implement the

   user interface • How to implement the tricky stuff

4. Why are we showing this • Your tools are fragmented

   • No central place to go • Communities are core to your business • HCL Connections got your back

5. Demo

6. Front End: How to • App Registry • HighLights widgets

   • Iframes • Navigation cleanup

7. App Registry • Easiest for embedding • Can be used

   in classic and higlights • Additional features available

8. Example Volt Application • Only needs URL • Width /

   Height set to 100% • Black / Whitelisting per: • User • Email • Regex • url

9. Highlights Widgets • Add custom widgets in the Highlights widget

   bar • Can only be used in Highlights

10. Highlights Widgets: Huddo Boards example

11. iFrame • Not recommended • Little controls • Only for

    internal sites / Same domain name or sites you can control

12. Navigation cleanup • Using an App Registry application • Inject

    CSS and Javascript

13. Navigation cleanup

14. Navigation cleanup

15. Caution ! More Technical parts ahead • Journey from plain

    Connections to Connections with SSO

16. New Loginpage for Connections Keycloak / IDP HCL Connections OIDC

17. Keycloak • OpenSource Identity and Access Managment: https://www.keycloak.org • Why

    Keycloak? Connections Multi Tenant requirement => We already had positive experience with it, and it’s free. • Increased Security: • Brute Force Detection • MultiFactor Authentication: • OTP Authenticator • WebAuthN

18. Connections Support for OIDC • OIDC is part of WebSphere

    Security • Connections needs only minor adjustments • Desktop plugin and mobile work • Keycloak can be replaced by any other OIDC capable identity provider

19. What else ? Connect Domino Servers Keycloak / IDP HCL

    Connections Domino Webapp Domino Volt Verse SAML OIDC SAML SAML

20. Why ? • Same Login experience • Same Security Settings

    • Works across domains

21. Setup Domino with SAML • 1. Create an Internet Site

    • 2. Export Identity Provider Metadata from Keycloak and import it in idpcat.nsf • 3. Export the Service Provider Metadata from idpcat and import it in Keycloak • 4. Set any additional mapping

22. Internet Site – SAML enabled Once the Internet Site exists.

    Hit the «Open IdP Configuration» button to open the idpcat.nsf file. If it does not exist, create it.

23. Create IDP Config – 1/3 • Identity Provider Metadata is

    located in https://[host]/auth/realms/[realm]/protocol/saml/descriptor • Import that file into a new Idp Configuration document

24. Create IDP Config 2/3 • Select the internet site •

    Check the Service Provider ID – needs to be consistent with the client ID in Keycloak

25. Create IDP Config 3/3 • Create and export the ServiceProvider

    Metadata • Give it a unique Company name, then export the xml and save the attached ServiceProvider.xml

26. Keycloak client definition for Domino • Create a new client

    and import the ServiceProvider.xml • Verify the redirect URIs and client ID • Tricky part - Name ID Format: use email or username, defines which property from a keycloak user is used to match a Domino user • There are SAML-Tracer plugins for FireFox and Chrome available which help with debugging

27. Summary • Connections, Domino WebApps, Volt, Verse all use the

    same login now • Authentication is handled by Keycloak

28. Where are the Credentials? • Domino? AD? IBM-DS? OpenLDAP? Database

    ? Keycloak ?

29. What’s next ? M365 ? Keycloak / IDP M365 Login

    Page HCL Connections Domino Webapp Domino Volt Verse OIDC SAML SAML SAML SAML

30. Login Delegation Keycloak / IDP M365 Login Page HCL Connections

    OIDC SAML

31. Why would you do that ? • Login to HCL

    Connections, Verse, Xpages Apps, Volt with your M365 Account

32. Using M365 as Identity Provider • Create an «App registration»

    and download the FederationMetadata.xml from Azure • Create Identity Broker in keycloak and import the FederationMetadata.xml and export the ServiceProvider.xml • In Azure, create a new application «Azure AD SAML Toolkit» and import the ServiceProvider.xml • Make sure that the email address arrives at keycloak.

33. Azure 1/2 – FederationMetadata.xml

34. Azure 2/2 - FederationMetadata.xml

35. Keycloak add new SAML Identity Provider • Import the FederationMetadata.xml

    file • Once the identity provider has been saved, download the ServiceProvider.xml

36. Azure AD 1/3 - Import ServiceProvider.xml

37. Azure AD 2/3 – Import ServiceProvider.xml

38. Azure AD 3/3 – import ServiceProvider.xml

39. Result so far… • We now have a «Login with

    M365» button

40. Everybody has M365 Account • Keycloak allows automatic redirect to

    the M365 as shown in the demo Keycloak / IDP M365 Login Page HCL Connections OIDC SAML

41. Why add Keycloak then ? • M365 supports OIDC and

    SAML. It’s be possible to connect Connections and Domino servers directly to M365 • It has been easier for us to setup Keycloak in a test environment • As Connections or Domino Admins, we don’t want to mess up the Azure AD J

42. What’s next ? Keycloak / IDP M365 Login Page HCL

    Connections Domino Webapp Domino Volt Verse Other Apps PowerBI Power Apps SAML/OIDC

43. Other Apps • Every WebApp that supports SAML 2.0 or

    OIDC/OAUTH • Grafana • Gitlab • SugarCRM • HubSpot • Zoho • Salesforce • Citrix Netscaler • Atlassian Jira • …

44. Is it that easy ? • Setting up authentication is

    simple as long as the app is able to handle either OIDC or SAML 2 • Display app content can be done in 2 ways. Custom Widget or iFrame. Troubles ahead: • XSS • Custom Widget = Development and CORS • iFrame = Frameoptions / sandbox / Content-Security-Policies

45. Links • Keycloak: https://www.keycloak.org • IBM Documentation on OIDC: https://www.ibm.com/docs/en/was-nd/8.5.5?topic=users-configuring-openid-connect-relying-party

    • OIDC requires WAS 8.5.5.21 or an ifix: https://www.ibm.com/support/pages/node/6513845 • HCL Connections and Keycloak: https://opensource.hcltechsw.com/connections-doc/v7/keycloak_authentication_sso/keycloak_auth_sso.html • Domino SAML authenticaton: https://help.hcltechsw.com/domino/12.0.0/admin/secu_configuring_nonfederated_saml_authentication.html • HCL Connections App Registry https://github.com/hclcnx/customizer/blob/master/docs/HCLConnectionsCustomizer.md • Creating a custom ICEC widget https://help.hcltechsw.com/connections/v7/connectors/icec/cec-custom-widget-api.html • Custom Huddo Boards ICEC widget https://docs.huddo.com/boards/connections/widgets-on-prem/ • Enabling single sign-on with OIDC for Microsoft Azure AD https://help.hcltechsw.com/connections/v7/admin/secure/c_azure_oidc_container.html