Home
Administering Connections 7.0
Welcome to the HCL Connections documentation site. HCL Connections is social networking software designed for the workplace. Its features help you to establish dynamic networks that connect you to the people and information you need to achieve your business goals.
Security
HCL Connections™ provides a flexible security infrastructure that supports an open, easily shareable data model.
Configuring single sign-on
Set up single sign-on integration between HCL Connections™ and other HCL products and third-party security products.
Enabling single sign-on for the Windows™ desktop
Configure HCL Connections™ to use SPNEGO for single sign-on (SSO). This configuration permits users to sign in to the Microsoft Windows™ desktop and automatically authenticate with Connections.

Administering Connections 7.0
Welcome to the HCL Connections documentation site. HCL Connections is social networking software designed for the workplace. Its features help you to establish dynamic networks that connect you to the people and information you need to achieve your business goals.
- What's new in HCL Connections
  Find out about features that are new or updated in this release of HCL Connections.
- Product overview
  Learn how to deploy, customize, and administer the HCL Connections social networking product.
- Planning
  Before installing HCL Connections™, study the system requirements, deployment options, and documentation conventions.
- Installing Connections
  To install HCL Connections™, you need to follow a detailed series of procedures.
- Installing or upgrading Component Pack for Connections
  HCL Connections 7.0 now supports the latest Component Pack based in Harbor, an open-source container and Helm registry hosted by HCL for the Component Pack build. Deployments that are new or carrying Component Pack 7 will use this approach for a simplified installation/upgrade process, while releases prior to 7.0 will first need to upgrade to Component Pack 7 using a zip file and a local Docker registry.
- Post-installation tasks
  After installation, you need to perform further tasks to ensure an efficient deployment.
- Optional: Installing and configuring Tiny Editors for HCL Connections
  The Tiny editors are alternative rich-text editors which can be installed for HCL Connections™. They provide additional features and extensive customization options not available with the default editor.
- Optional post-installation tasks
  Complete the post-installation tasks that are relevant to your deployment.
- Uninstalling
  Uninstall HCL Connections.
- Upgrading and updating
  Upgrade HCL Connections and its supporting software to the latest release and then update the installation with the latest interim fixes or cumulative fixes. Refer to the What's New in HCL Connections to review the features in the latest release and gather download links or links to the latest fix list and update strategy information.
- Administering
  Run administration and maintenance tasks to keep your environment up-to-date. For example, learn how to customize your deployment or how to use the wsadmin utility to edit configuration files. You can also schedule tasks, maintain application databases, moderate content, or manage users and their roles.
- Customizing
  Customize HCL Connections™ to fit your environment.
- Security
  HCL Connections™ provides a flexible security infrastructure that supports an open, easily shareable data model.
  - Federal Information Processing Standard (FIPS) 140-2 Compliance
    In HCL Connections™, FIPS compliance is managed through IBM® WebSphere® Application Server.
  - Allowing third-party applications access to data via the OAuth2 protocol
    Allow third-party applications to ask your HCL Connections users for access to their data.
  - Configuring single sign-on
    Set up single sign-on integration between HCL Connections™ and other HCL products and third-party security products.
    - Setting the single sign-on domain name
      Set the single sign-on (SSO) domain name for your IBM® WebSphere® Application Server environment.
    - Enabling single sign-on with OIDC for Microsoft Azure AD
      Single sign-on is accomplished by setting up a trust relationship between the Connections server and Microsoft Azure Active Directory using the IBM WebSphere OpenID Connect Relying Party Trust Association Interceptor (OIDC Relying Party TAI).
    - Enabling single sign-on for Security Verify Access
      Configure HCL Connections™ to use single sign-on with Security Verify Access (formerly Security Access Manager).
    - Enabling single sign-on for SiteMinder
      Configure HCL Connections™ to use Computer Associates' SiteMinder to implement user authentication and single sign-on (SSO).
    - Enabling single sign-on for Domino®
      If your organization uses HCL Connections™ in a Domino® environment, you can enable single sign-on (SSO) for easier user authentication.
    - Enabling single sign-on for standalone LDAP
      HCL Connections™ requires a federated repositories configuration, but you can enable Connections applications to perform Single sign-on for a standalone LDAP directory.
    - Enabling single sign-on for the Windows™ desktop
      Configure HCL Connections™ to use SPNEGO for single sign-on (SSO). This configuration permits users to sign in to the Microsoft Windows™ desktop and automatically authenticate with Connections.
      - Mapping an Active Directory account to administrative roles
        Map an account from Active Directory to administrative roles in IBM® WebSphere® Application Server.
      - Creating a service principal name and keytab file
        A service account in Microsoft™ Active Directory needs to be created to support a service principal name (SPN) for HCL Connections™. A keytab file that the Kerberos authentication service can use to establish trust with the web browser also can be created if Kerberos authentication is desired.
      - Creating a redirect page for users without SPNEGO support
        Create an HTML page to redirect users whose web browsers do not support SPNEGO.
      - Configuring SPNEGO (and Kerberos optionally) on WebSphere® Application Server
        Configure SPNEGO and, optionally Kerberos, on IBM® WebSphere® Application Server.
      - Configuring web browsers to support SPNEGO
        Configure your web browser to support SPNEGO authentication.
    - Enabling SPNEGO single sign-on for Security Verify Access
      Configure HCL Connections to use single sign-on with IBM Security Verify Access (or ISVA, formerly Security Access Manager) and SPNEGO.
    - Enabling SPNEGO single sign-on for SiteMinder
      Configure HCL Connections™ to use single sign-on with Computer Associates' SiteMinder and SPNEGO.
    - The customAuthenticator element for back-end inter-service communication
      The customAuthenticator element in the LotusConnections-config.xml file defines some key parameters in your single sign-on (SSO) solution.
  - Authentication with SAML
    You can use the SAML (Security Assertion Markup Language) 2.0 web SSO redirection services support to implement user authentication and single sign-on (SSO). To establish your SAML environment, you must consider the following information to ensure that your system is a good candidate.
  - Configuring the AJAX proxy
    By default, the HCL Connections™ AJAX proxy is configured to allow cookies, headers or mime types, and all HTTP actions to be exchanged among the Connections applications. If you want to change the traffic that is allowed from non-HCL Connections services, you must explicitly configure it.
  - Enabling locked domains
    Assuming that you have completed the server setup previously described, to enable locked domains in HCL Connections, specify an additional attribute in the LotusConnections-config.xml to ensure that only ConnectionsOpensocial application is mapped to the locked domain host.
  - Enabling virus scanning
    Edit configuration property settings to force the applications that handle uploaded files to scan all files for viruses.
  - Forcing traffic to be sent over an encrypted connection
    You can configure HCL Connections™ to force all traffic that passes between a Connections server and a user's web browser to be sent over an encrypted connection.
  - Forcing traffic to use TLS 1.2
    You can configure HCL Connections™ to force all traffic that passes between a Connections server and a user's web browser to be sent over TLS 1.2 to avoid security vulnerabilities in TLS 1.1 and earlier versions of SSL.
  - Forcing users to log in before they can access an application
    Change the access levels of members or groups to require them to provide credentials before they can access an HCL Connections™ application.
  - Securing applications from malicious attack
    HCL Connections™ provides security measures, such as an active content filter and content upload limits, that you can use to mitigate the risk of malicious attacks. Because these security measures can also limit the flexibility of the applications, you, as the system administrator, must evaluate the security of your network and determine whether or not you need to implement them.
  - Restricting domains used by the login page redirect parameter
    By default, the HCL Connections™ default login page allows redirecting to any destination. You can configure Connections to use a whitelist of domains to ensure login navigation to a secure page.
- Mobile
  See the HCL Connections™ Mobile documentation for Connections Cloud and Connections on-premises.
- Developing
  Get information about how to use the APIs provided with HCL Connections™ and how to use Connections Customizer to modify the Connections pages that are returned to users.
- Troubleshooting and support
  To isolate and resolve problems with your HCL products, you can use the troubleshooting and support information. This information contains instructions for using the problem-determination resources that are provided with your HCL products, including HCL Connections™.

Enabling single sign-on for the Windows™ desktop

Configure HCL Connections™ to use SPNEGO for single sign-on (SSO). This configuration permits users to sign in to the Microsoft Windows™ desktop and automatically authenticate with Connections.

Before you begin

Verify that HCL Connections™ works correctly without the SPNEGO authentication protocol.

Create a user account in the LDAP directory and add it to the WebSphere® Application Server administrators group.

Complete the steps in the Creating a service principal name and keytab file topic.

Note: If you are using on-ramp plug-ins or mobile services, your data traffic is not authenticated by Kerberos tickets or SPNEGO tokens. It is instead authenticated through Java EE form-based authentication.

About this task

To configure Connections to use SPNEGO, complete the following tasks: