Project review – IC5 External feature + TAI + Security Gateway + SelfService …
the first time during my “blogging career” I would like to review a great project I did together with my colleagues during the last six months.
We did this project for our favorite customer 😉
The project goals
- Enable IBM Connections Extranet feature
- User provisioning using a comfortable User Self Service application
- Secured way to access the environment using Airlock WAF as secure reverse proxy
- Continuous single-sign-on
The projects benefits
- Easily collaborate with external communities that work across enterprise boundaries (internal and external)
- Send links instead of large attachments and stop using e-mail to store business relevant content
- Rest assured that the e-mail link team members receive will take them to the lasted file version located within your connections community
- Easy to find your relevant information and always access latest version
External network access – high level design:
There was a requirement to use a really powerful security appliance “AirLock” from Ergon Informatik AG in Switzerland. Such a system is also called WAF (Web application firewall). It can be setup as a software or hardware appliance that can be operated in cluster mode with the major features (only some of them):
- Secure reverse proxy
- Central checkpoint Filtering
- Dynamic whitelisting
- Central security hub
- High availability and performance
Furthermore, the Airlock Suite provides Airlock Login and Airlock IAM for authentication and IAM capabilities. A powerful tool!!! It was a great fun to work together with the service provider to setup this appliance.
Single-Sign On using WebSphere TAI
Airlock is used to authenticate external users. There is a connection to the same LDAP IBM Connections uses but the challenge was to enable SSO between AirLock and IBM Connections, as AirLock does not know IBM`s proprietary SSO format “LTPAToken”. We developed a WebSphere TAI (Trust Association Interceptor) that is used as an authentication service.
The “login flow”:
- user logs in to Airlock with username + password
- Airlock generates a Cookie containing the username, a specific timestamp and a shared secret
- Request is set to TAI – TAI decrypts the Cookie and reads mandatory information like the username and performs further security checks such as “where did the request come from” or “does the timestamp match” …
- WebSphere “trusts” the user and the user gets logged in
Cool stuff and a rather handy way to establish Single-Sign on between various systems.
User onboarding using GIS User self service application
- 1. an internal, authorized user creates the external user by specifying first, last name and eMail
- 2. The external user receives an eMail. After clicking the link, the user can set an initial password.
Now the external users profile is created and the user can collaborate using IBM Connections external feature – fantastic 😉
Login with your userid at Airlock WAF
When looking into the TAI trace output the successful attempt of:
- decoding of the cookie
- extraction of username
- comparison of timestamp
- acknowledgement where the request came from (via XForwarded-For)
can be seen:
Authorized internal users can manage all details of the external users…
External users are stored in the same Domino directory that is used for IBM Connections. An additional names_external.nsf is attached using DA (with the mandatory ACL modifications so that write access for the user creation is possible)
There were further modifications to the IBM Connections UI such as a custom profile type for external users (technical description in my blog). The external users get inactivated if they did not login IBM Connections for a defined period of time (also described in this blog).
This was one of the best projects I`ve ever worked on. Great team, great collaboration between different suppliers and a project time frame that was not that tight as usual.