Home
Administering Connections 6.5
Welcome to the HCL Connections 6.5 documentation. HCL Connections is social networking software designed for the workplace. Its features help you to establish dynamic networks that connect you to the people and information you need to achieve your business goals.
Security
HCL Connections™ provides a flexible security infrastructure that supports an open, easily shareable data model.
Authentication with SAML
You can use the SAML (Security Assertion Markup Language) 2.0 web SSO redirection services support to implement user authentication and single sign-on (SSO). To establish your SAML environment, you must consider the following information to ensure that your system is a good candidate.
Configuring SAML redirection services for web SSO
To gain SAML support for all HCL Connections™ components that are accessed through a browser, set up SAML redirection services to use the default authenticator. This process replaces the web login page for Connections with your SAML Identity Provider (IdP) by using a redirect.
Enabling single sign-on for SAML 2.0
Configure HCL Connections™ if you want to use the SAML (Security Assertion Markup Language) 2.0 Web SSO redirection services support to implement user authentication and single sign-on (SSO).

Administering Connections 6.5
Welcome to the HCL Connections 6.5 documentation. HCL Connections is social networking software designed for the workplace. Its features help you to establish dynamic networks that connect you to the people and information you need to achieve your business goals.
- What's new in HCL Connections
  Find out about features that are new or updated in this release of HCL Connections.
- Product overview
  Learn how to deploy, customize, and administer the HCL Connections social networking product.
- Planning
  Before installing HCL Connections™, study the system requirements, deployment options, and documentation conventions.
- Installing
  To install HCL Connections™, you need to follow a detailed series of procedures.
- Uninstalling HCL Connections
  Uninstall HCL Connections.
- Migrating and updating
  Migrate HCL Connections™ and its supporting software to the latest release and then update the installation with the latest deployment, interim fixes, or Cumulative Refresh (CR).
- Administering
  Run administration and maintenance tasks to keep your environment up-to-date. For example, learn how to customize your deployment or how to use the wsadmin utility to edit configuration files. You can also schedule tasks, maintain application databases, moderate content, or manage users and their roles.
- Customizing
  Customize HCL Connections™ to fit your environment.
- Security
  HCL Connections™ provides a flexible security infrastructure that supports an open, easily shareable data model.
  - Federal Information Processing Standard (FIPS) 140-2 Compliance
    In HCL Connections™, FIPS compliance is managed through IBM® WebSphere® Application Server.
  - Allowing third-party applications access to data via the OAuth2 protocol
    Allow third-party applications to ask your HCL Connections users for access to their data.
  - Configuring single sign-on
    Set up single sign-on integration between HCL Connections™ and other HCL products and third-party security products.
  - Authentication with SAML
    You can use the SAML (Security Assertion Markup Language) 2.0 web SSO redirection services support to implement user authentication and single sign-on (SSO). To establish your SAML environment, you must consider the following information to ensure that your system is a good candidate.
    - Configuring SAML redirection services for web SSO
      To gain SAML support for all HCL Connections™ components that are accessed through a browser, set up SAML redirection services to use the default authenticator. This process replaces the web login page for Connections with your SAML Identity Provider (IdP) by using a redirect.
      - Configuring SAML for TFIM in WebSphere Application Server
        Configure SAML for IBM Tivoli Federated Identity Manager in IBM WebSphere Application Server by following the simplified steps in this topic.
      - Configuring SAML for ADFS in WebSphere Application Server
        Configure SAML for Microsoft Active Directory Federation Services in IBM WebSphere Application Server by following the simplified steps in this topic.
      - Installing the WebSphere Default Application
        Install the WebSphere Default Application (also known as Snoop) to validate the SAML environment prior to the deployment of HCL Connections™ on WebSphere.
      - Verifying the WebSphere® Default Application is protected by SAML
        Verify that the WebSphere® Default Application is protected by SAML and SAML authentication is functioning in your environment
      - Enabling single sign-on for SAML 2.0
        Configure HCL Connections™ if you want to use the SAML (Security Assertion Markup Language) 2.0 Web SSO redirection services support to implement user authentication and single sign-on (SSO).
      - Disabling SAML to validate fully functioning integration for third party servers
        HCL Connections™ can incorporate many services into Social Business Platform. It is necessary to isolate system-wide security features to validate whether third party servers, such as Cognos® or FileNet® servers, can be deployed properly as a fully functional integrated server with Connections prior to enabling the SAML protection.
  - Configuring the AJAX proxy
    By default, the HCL Connections™ AJAX proxy is configured to allow cookies, headers or mime types, and all HTTP actions to be exchanged among the Connections applications. If you want to change the traffic that is allowed from non-HCL Connections services, you must explicitly configure it.
  - Enabling locked domains
    Assuming that you have completed the server setup previously described, to enable locked domains in HCL Connections, specify an additional attribute in the LotusConnections-config.xml to ensure that only ConnectionsOpensocial application is mapped to the locked domain host.
  - Enabling virus scanning
    Edit configuration property settings to force the applications that handle uploaded files to scan all files for viruses.
  - Forcing traffic to be sent over an encrypted connection
    You can configure HCL Connections™ to force all traffic that passes between a Connections server and a user's web browser to be sent over an encrypted connection.
  - Forcing traffic to use TLS 1.2
    You can configure HCL Connections™ to force all traffic that passes between a Connections server and a user's web browser to be sent over TLS 1.2 to avoid security vulnerabilities in TLS 1.1 and earlier versions of SSL.
  - Forcing users to log in before they can access an application
    Change the access levels of members or groups to require them to provide credentials before they can access an HCL Connections™ application.
  - Securing applications from malicious attack
    HCL Connections™ provides security measures, such as an active content filter and content upload limits, that you can use to mitigate the risk of malicious attacks. Because these security measures can also limit the flexibility of the applications, you, as the system administrator, must evaluate the security of your network and determine whether or not you need to implement them.
  - Restricting domains used by the login page redirect parameter
    By default, the HCL Connections™ default login page allows redirecting to any destination. You can configure Connections to use a whitelist of domains to ensure login navigation to a secure page.
- Mobile
  See the HCL Connections™ Mobile documentation for Connections Cloud and Connections on-premises.
- Developing
  Get information about how to use the APIs provided with HCL Connections™ and how to use Connections Customizer to modify the Connections pages that are returned to users.
- Troubleshooting and support
  To isolate and resolve problems with your HCL products, you can use the troubleshooting and support information. This information contains instructions for using the problem-determination resources that are provided with your IBM® products, including HCL Connections™.

Enabling single sign-on for SAML 2.0

Configure HCL Connections™ if you want to use the SAML (Security Assertion Markup Language) 2.0 Web SSO redirection services support to implement user authentication and single sign-on (SSO).

Before you begin

Complete the following prerequisite conditions:

Verify that the Default application (Snoop) is protected by SAML 2.0.
Ensure that you can access Connections applications from a web browser.
Each href attribute in the LotusConnections-config.xml file is case-sensitive and must specify a fully-qualified domain name.
Note: Lowercase is required for URLs. Many modern browsers will set the domain to lowercase before making a request. For URLs to match with those browsers, lowercase must be used when specifying domain names.
The connectionsAdmin J2C alias that you specified during installation must correspond to a valid account that can authenticate with SAML. It may map to a backend administrative user account. This account must be capable of authenticating for single sign-on against SAML. If you need to update the user ID or credentials for this alias, see the Changing references to administrative credentials topic.

Procedure

Install Connections, if you have not already done so, with all necessary software components as described in Installing.
Using the WebSphere Application server administrative console, navigate to Global security > Web and SIP security > Trust association > Interceptors > com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor and make the following changes:
1. Modify the SAML filter for Connections by copying and pasting the following values into the sso_1.sp.filter Values field:
```
request-url^=/login|/service/authredirect.jsp;request-url!=forceLogin
```
2. Create a new property called sso_1.sp.enforceTaiCookie and set its value to false.
Run Full Resynchronize for all nodes.
Stop all Connections clusters and then stop the DM.
Restart the DM and then restart all Connections clusters.

Rate this topic

5 stars 4 stars 3 stars 2 stars 1 star

Comment on this topic.

By clicking this box, you acknowledge that you are NOT a U.S. Federal Government employee or agency, nor are you submitting information with respect to or on behalf of one. HCL provides software and services to U.S. Federal Government customers through its partners immixGroup, Inc. Contact this team at https://hcltechsw.com/resources/us-government-contact. Do not include any personal data in this Comment box. Note: To report a problem or question about the product software, do not use this form. Instead, go to the HCL Software Support site.