Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Build a Collaborative framework for your business applications with Communities

Wannes Rams
May 30, 2022
Technology
0
150

Build a Collaborative framework for your business applications with Communities

In this session we will show you business applications from different systems brought together under the collaborative umbrella of a Connections Community. Discuss, talk, engage around the applications that drive your business in context inside communities. Build small collaborative eco systems that drives people and the business forward.
We will also show you how to do this. Using Keycloak as an IdP you can login to connections using your Office 365 credentials, bring in applications from the Microsoft world on top of the already existing integrations. We will connect to HCL Domino backends to bring HCL Domino and HCL Volt applications alive inside Communities. And lastly we will show how to add an application from any external system that talks SAML or OIDC.
This session will have a non-technical and technical part so all are welcome to join.

Presented with Urs Meli at the Engage conference 2022

Wannes Rams

May 30, 2022
Tweet

More Decks by Wannes Rams

See All by Wannes Rams
Your HCL Digital Office in the browser
wannesrams
0
25
Touchpoint and Userinvite Mar. 07, 2020 • 0 likes •
wannesrams
0
30
History of Connections
wannesrams
0
29
Intro To HCL Connections Customizer
wannesrams
0
31
Why we should be using Watson Workspace
wannesrams
0
6
How to be a lion tamer
wannesrams
0
31
Rock the activity stream api
wannesrams
0
29
Enrich your IBM Connections profiles by extending the profiles data model
wannesrams
0
46
Profile types and locking profile features
wannesrams
0
30

Other Decks in Technology

See All in Technology
2023 CSS
nishiharatsubasa
6
3.3k
UIコンポーネントライブラリをうまく使うためにできること / components-with-designer
mottox2
4
2.1k
GraphQLはどんな時に使うか
saboyutaka
20
6.1k
Designing an Incident Response Process at Scale
opeonikute
0
160
Agile and Iterative Development: Lessons from 20 Years of Ninja-style Testing
kawaguti
PRO
5
680
サーバーレスアーキテクチャを使って、小さく作って大きくする取り組み
daikimori
0
880
製造業が強い愛知から始まったチーム作り8年の旅路とその現場から見えたこと
nktamago
0
260
監視とオブザーバビリティ 〜 悩む前に確認しておくべきこと / 20230926-ssmjp-monitoring-and-observability
opelab
8
630
Oracle Cloud Infrastructure:2023年9月度サービス・アップデート
oracle4engineer
PRO
0
130
Amazon SES のバウンス率が急上昇 〜Amazon SES を止めてしまった日〜
tomuro
5
2.9k
LLM×Cloud Runでオンライン薬局の既存オペレーションを自動化した話
pharma_x_tech
0
510
Feature Flagについて本気出して考えて実践してみた
revcomm_inc
1
120

Featured

See All Featured
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.2k
It's Worth the Effort
3n
179
27k
Building Your Own Lightsaber
phodgson
97
5.2k
What's new in Ruby 2.0
geeforr
336
30k
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k
A Tale of Four Properties
chriscoyier
150
21k
Gamification - CAS2011
davidbonilla
75
4.3k
Producing Creativity
orderedlist
PRO
336
38k
The Cult of Friendly URLs
andyhume
71
5.3k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
Optimising Largest Contentful Paint
csswizardry
6
1.8k
Statistics for Hackers
jakevdp
787
210k

Transcript

  1. Build a Collaborative framework
    for your business applications
    with HCL Connections Communities

    View Slide

  2. Urs Meli
    • Senior Software Engineer
    @Belsoft Collaboration
    • @umeli
    [email protected]
    • Paraglider
    Wannes Rams
    • Senior Cloud Architect @ISW
    • HCL Ambassador
    • Organiser @Let’sConnect
    • @wannesrams
    [email protected]
    • Table Tennis
    • Travel

    View Slide

  3. Agenda
    • Introduction
    • Demo
    • How to implement the user interface
    • How to implement the tricky stuff

    View Slide

  4. Why are we showing this
    • Your tools are fragmented
    • No central place to go
    • Communities are core to your business
    • HCL Connections got your back

    View Slide

  5. Demo

    View Slide

  6. Front End: How to
    • App Registry
    • HighLights widgets
    • Iframes
    • Navigation cleanup

    View Slide

  7. App Registry
    • Easiest for embedding
    • Can be used in classic
    and higlights
    • Additional features
    available

    View Slide

  8. Example Volt Application
    • Only needs URL
    • Width / Height set to 100%
    • Black / Whitelisting per:
    • User
    • Email
    • Regex
    • url

    View Slide

  9. Highlights Widgets
    • Add custom widgets in the Highlights widget bar
    • Can only be used in Highlights

    View Slide

  10. Highlights Widgets: Huddo Boards example

    View Slide

  11. iFrame
    • Not recommended
    • Little controls
    • Only for internal sites / Same domain name or sites you can control

    View Slide

  12. Navigation cleanup
    • Using an App Registry application
    • Inject CSS and Javascript

    View Slide

  13. Navigation cleanup

    View Slide

  14. Navigation cleanup

    View Slide

  15. Caution ! More Technical parts ahead
    • Journey from plain Connections to Connections with SSO

    View Slide

  16. New Loginpage for Connections
    Keycloak /
    IDP
    HCL Connections
    OIDC

    View Slide

  17. Keycloak
    • OpenSource Identity and Access Managment:
    https://www.keycloak.org
    • Why Keycloak? Connections Multi Tenant requirement
    => We already had positive experience with it, and it’s free.
    • Increased Security:
    • Brute Force Detection
    • MultiFactor Authentication:
    • OTP Authenticator
    • WebAuthN

    View Slide

  18. Connections Support for OIDC
    • OIDC is part of WebSphere Security
    • Connections needs only minor adjustments
    • Desktop plugin and mobile work
    • Keycloak can be replaced by any other OIDC capable identity provider

    View Slide

  19. What else ? Connect Domino Servers
    Keycloak /
    IDP
    HCL Connections
    Domino Webapp
    Domino Volt
    Verse
    SAML
    OIDC
    SAML
    SAML

    View Slide

  20. Why ?
    • Same Login experience
    • Same Security Settings
    • Works across domains

    View Slide

  21. Setup Domino with SAML
    • 1. Create an Internet Site
    • 2. Export Identity Provider Metadata from Keycloak and import it in
    idpcat.nsf
    • 3. Export the Service Provider Metadata from idpcat and import it in
    Keycloak
    • 4. Set any additional mapping

    View Slide

  22. Internet Site – SAML enabled
    Once the Internet Site exists. Hit the
    «Open IdP Configuration» button to open
    the idpcat.nsf file. If it does not exist,
    create it.

    View Slide

  23. Create IDP Config – 1/3
    • Identity Provider Metadata is located in
    https://[host]/auth/realms/[realm]/protocol/saml/descriptor
    • Import that file into a new Idp Configuration document

    View Slide

  24. Create IDP Config 2/3
    • Select the internet site
    • Check the Service Provider ID – needs to be consistent with the client
    ID in Keycloak

    View Slide

  25. Create IDP Config 3/3
    • Create and export the ServiceProvider Metadata
    • Give it a unique Company name, then export the xml and save the
    attached ServiceProvider.xml

    View Slide

  26. Keycloak client definition for Domino
    • Create a new client and import the ServiceProvider.xml
    • Verify the redirect URIs and client ID
    • Tricky part - Name ID Format:
    use email or username, defines which property from a keycloak user
    is used to match a Domino user
    • There are SAML-Tracer plugins for FireFox and Chrome available
    which help with debugging

    View Slide

  27. Summary
    • Connections, Domino WebApps, Volt, Verse
    all use the same login now
    • Authentication is handled by Keycloak

    View Slide

  28. Where are the Credentials?
    • Domino? AD? IBM-DS? OpenLDAP? Database ? Keycloak ?

    View Slide

  29. What’s next ? M365 ?
    Keycloak /
    IDP
    M365 Login
    Page
    HCL Connections
    Domino Webapp
    Domino Volt
    Verse
    OIDC
    SAML
    SAML
    SAML
    SAML

    View Slide

  30. Login Delegation
    Keycloak /
    IDP
    M365 Login
    Page
    HCL Connections
    OIDC SAML

    View Slide

  31. Why would you do that ?
    • Login to HCL Connections, Verse, Xpages Apps, Volt
    with your M365 Account

    View Slide

  32. Using M365 as Identity Provider
    • Create an «App registration» and download the
    FederationMetadata.xml from Azure
    • Create Identity Broker in keycloak and import the
    FederationMetadata.xml and export the ServiceProvider.xml
    • In Azure, create a new application «Azure AD SAML Toolkit» and
    import the ServiceProvider.xml
    • Make sure that the email address arrives at keycloak.

    View Slide

  33. Azure 1/2 – FederationMetadata.xml

    View Slide

  34. Azure 2/2 - FederationMetadata.xml

    View Slide

  35. Keycloak add new SAML Identity Provider
    • Import the FederationMetadata.xml file
    • Once the identity provider has been saved, download the
    ServiceProvider.xml

    View Slide

  36. Azure AD 1/3 - Import ServiceProvider.xml

    View Slide

  37. Azure AD 2/3 – Import ServiceProvider.xml

    View Slide

  38. Azure AD 3/3 – import ServiceProvider.xml

    View Slide

  39. Result so far…
    • We now have a «Login with M365» button

    View Slide

  40. Everybody has M365 Account
    • Keycloak allows automatic redirect to the M365 as shown in the
    demo
    Keycloak /
    IDP
    M365 Login
    Page
    HCL Connections
    OIDC SAML

    View Slide

  41. Why add Keycloak then ?
    • M365 supports OIDC and SAML. It’s be possible to connect
    Connections and Domino servers directly to M365
    • It has been easier for us to setup Keycloak in a test environment
    • As Connections or Domino Admins, we don’t want to mess up the
    Azure AD J

    View Slide

  42. What’s next ?
    Keycloak /
    IDP
    M365 Login
    Page
    HCL Connections
    Domino Webapp
    Domino Volt
    Verse
    Other Apps
    PowerBI
    Power Apps
    SAML/OIDC

    View Slide

  43. Other Apps
    • Every WebApp that supports SAML 2.0 or OIDC/OAUTH
    • Grafana
    • Gitlab
    • SugarCRM
    • HubSpot
    • Zoho
    • Salesforce
    • Citrix Netscaler
    • Atlassian Jira
    • …

    View Slide

  44. Is it that easy ?
    • Setting up authentication is simple as long as the app is able to
    handle either OIDC or SAML 2
    • Display app content can be done in 2 ways. Custom Widget or iFrame.
    Troubles ahead:
    • XSS
    • Custom Widget = Development and CORS
    • iFrame = Frameoptions / sandbox / Content-Security-Policies

    View Slide

  45. Links
    • Keycloak: https://www.keycloak.org
    • IBM Documentation on OIDC:
    https://www.ibm.com/docs/en/was-nd/8.5.5?topic=users-configuring-openid-connect-relying-party
    • OIDC requires WAS 8.5.5.21 or an ifix: https://www.ibm.com/support/pages/node/6513845
    • HCL Connections and Keycloak:
    https://opensource.hcltechsw.com/connections-doc/v7/keycloak_authentication_sso/keycloak_auth_sso.html
    • Domino SAML authenticaton:
    https://help.hcltechsw.com/domino/12.0.0/admin/secu_configuring_nonfederated_saml_authentication.html
    • HCL Connections App Registry
    https://github.com/hclcnx/customizer/blob/master/docs/HCLConnectionsCustomizer.md
    • Creating a custom ICEC widget
    https://help.hcltechsw.com/connections/v7/connectors/icec/cec-custom-widget-api.html
    • Custom Huddo Boards ICEC widget
    https://docs.huddo.com/boards/connections/widgets-on-prem/
    • Enabling single sign-on with OIDC for Microsoft Azure AD
    https://help.hcltechsw.com/connections/v7/admin/secure/c_azure_oidc_container.html

    View Slide