Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Build a Collaborative framework for your business applications with Communities

Build a Collaborative framework for your business applications with Communities

In this session we will show you business applications from different systems brought together under the collaborative umbrella of a Connections Community. Discuss, talk, engage around the applications that drive your business in context inside communities. Build small collaborative eco systems that drives people and the business forward.
We will also show you how to do this. Using Keycloak as an IdP you can login to connections using your Office 365 credentials, bring in applications from the Microsoft world on top of the already existing integrations. We will connect to HCL Domino backends to bring HCL Domino and HCL Volt applications alive inside Communities. And lastly we will show how to add an application from any external system that talks SAML or OIDC.
This session will have a non-technical and technical part so all are welcome to join.

Presented with Urs Meli at the Engage conference 2022

Wannes Rams

May 30, 2022

More Decks by Wannes Rams

Other Decks in Technology


  1. Urs Meli • Senior Software Engineer @Belsoft Collaboration • @umeli

    [email protected] • Paraglider Wannes Rams • Senior Cloud Architect @ISW • HCL Ambassador • Organiser @Let’sConnect • @wannesrams • [email protected] • Table Tennis • Travel
  2. Agenda • Introduction • Demo • How to implement the

    user interface • How to implement the tricky stuff
  3. Why are we showing this • Your tools are fragmented

    • No central place to go • Communities are core to your business • HCL Connections got your back
  4. App Registry • Easiest for embedding • Can be used

    in classic and higlights • Additional features available
  5. Example Volt Application • Only needs URL • Width /

    Height set to 100% • Black / Whitelisting per: • User • Email • Regex • url
  6. iFrame • Not recommended • Little controls • Only for

    internal sites / Same domain name or sites you can control
  7. Keycloak • OpenSource Identity and Access Managment: https://www.keycloak.org • Why

    Keycloak? Connections Multi Tenant requirement => We already had positive experience with it, and it’s free. • Increased Security: • Brute Force Detection • MultiFactor Authentication: • OTP Authenticator • WebAuthN
  8. Connections Support for OIDC • OIDC is part of WebSphere

    Security • Connections needs only minor adjustments • Desktop plugin and mobile work • Keycloak can be replaced by any other OIDC capable identity provider
  9. What else ? Connect Domino Servers Keycloak / IDP HCL

    Connections Domino Webapp Domino Volt Verse SAML OIDC SAML SAML
  10. Setup Domino with SAML • 1. Create an Internet Site

    • 2. Export Identity Provider Metadata from Keycloak and import it in idpcat.nsf • 3. Export the Service Provider Metadata from idpcat and import it in Keycloak • 4. Set any additional mapping
  11. Internet Site – SAML enabled Once the Internet Site exists.

    Hit the «Open IdP Configuration» button to open the idpcat.nsf file. If it does not exist, create it.
  12. Create IDP Config – 1/3 • Identity Provider Metadata is

    located in https://[host]/auth/realms/[realm]/protocol/saml/descriptor • Import that file into a new Idp Configuration document
  13. Create IDP Config 2/3 • Select the internet site •

    Check the Service Provider ID – needs to be consistent with the client ID in Keycloak
  14. Create IDP Config 3/3 • Create and export the ServiceProvider

    Metadata • Give it a unique Company name, then export the xml and save the attached ServiceProvider.xml
  15. Keycloak client definition for Domino • Create a new client

    and import the ServiceProvider.xml • Verify the redirect URIs and client ID • Tricky part - Name ID Format: use email or username, defines which property from a keycloak user is used to match a Domino user • There are SAML-Tracer plugins for FireFox and Chrome available which help with debugging
  16. Summary • Connections, Domino WebApps, Volt, Verse all use the

    same login now • Authentication is handled by Keycloak
  17. What’s next ? M365 ? Keycloak / IDP M365 Login

    Page HCL Connections Domino Webapp Domino Volt Verse OIDC SAML SAML SAML SAML
  18. Why would you do that ? • Login to HCL

    Connections, Verse, Xpages Apps, Volt with your M365 Account
  19. Using M365 as Identity Provider • Create an «App registration»

    and download the FederationMetadata.xml from Azure • Create Identity Broker in keycloak and import the FederationMetadata.xml and export the ServiceProvider.xml • In Azure, create a new application «Azure AD SAML Toolkit» and import the ServiceProvider.xml • Make sure that the email address arrives at keycloak.
  20. Keycloak add new SAML Identity Provider • Import the FederationMetadata.xml

    file • Once the identity provider has been saved, download the ServiceProvider.xml
  21. Everybody has M365 Account • Keycloak allows automatic redirect to

    the M365 as shown in the demo Keycloak / IDP M365 Login Page HCL Connections OIDC SAML
  22. Why add Keycloak then ? • M365 supports OIDC and

    SAML. It’s be possible to connect Connections and Domino servers directly to M365 • It has been easier for us to setup Keycloak in a test environment • As Connections or Domino Admins, we don’t want to mess up the Azure AD J
  23. What’s next ? Keycloak / IDP M365 Login Page HCL

    Connections Domino Webapp Domino Volt Verse Other Apps PowerBI Power Apps SAML/OIDC
  24. Other Apps • Every WebApp that supports SAML 2.0 or

    OIDC/OAUTH • Grafana • Gitlab • SugarCRM • HubSpot • Zoho • Salesforce • Citrix Netscaler • Atlassian Jira • …
  25. Is it that easy ? • Setting up authentication is

    simple as long as the app is able to handle either OIDC or SAML 2 • Display app content can be done in 2 ways. Custom Widget or iFrame. Troubles ahead: • XSS • Custom Widget = Development and CORS • iFrame = Frameoptions / sandbox / Content-Security-Policies
  26. Links • Keycloak: https://www.keycloak.org • IBM Documentation on OIDC: https://www.ibm.com/docs/en/was-nd/8.5.5?topic=users-configuring-openid-connect-relying-party

    • OIDC requires WAS or an ifix: https://www.ibm.com/support/pages/node/6513845 • HCL Connections and Keycloak: https://opensource.hcltechsw.com/connections-doc/v7/keycloak_authentication_sso/keycloak_auth_sso.html • Domino SAML authenticaton: https://help.hcltechsw.com/domino/12.0.0/admin/secu_configuring_nonfederated_saml_authentication.html • HCL Connections App Registry https://github.com/hclcnx/customizer/blob/master/docs/HCLConnectionsCustomizer.md • Creating a custom ICEC widget https://help.hcltechsw.com/connections/v7/connectors/icec/cec-custom-widget-api.html • Custom Huddo Boards ICEC widget https://docs.huddo.com/boards/connections/widgets-on-prem/ • Enabling single sign-on with OIDC for Microsoft Azure AD https://help.hcltechsw.com/connections/v7/admin/secure/c_azure_oidc_container.html