Content Management and Capture

 View Only
Expand all | Collapse all

Edit Service Client - SAML2 SSO with Navigator

  • 1.  Edit Service Client - SAML2 SSO with Navigator

    Posted Tue July 25, 2023 07:55 AM

    According information from one of our customers IBM improved the behavior of Edit Service Client SSO in NES 3.0.13-IF001 from Jan 26th 2023 (use of common cookie Navigator and NES…).

    According "What's new in IBM Content Navigator 3.0.14" there is since 3.0.14 a new authentication behavior of the Edit Service client (Edit Service client does not require users to authenticate again if they already authenticated through the IBM Content Navigator browser). What does this mean? Have there been additional changes to the SSO behavior since NES 3.0.13-IF001? If yes: what has changed?

    Is there any documentation available about the SSO behavior of Edit Service Client?



    ------------------------------
    Paul de Jong
    DXC Switzerland GmbH
    ------------------------------


  • 2.  RE: Edit Service Client - SAML2 SSO with Navigator

    Posted Wed July 26, 2023 03:35 AM

    Hi Paul, the only doc available to this per my knowledge is the section in What's New https://www.ibm.com/docs/en/content-navigator/3.0.14?topic=navigator-whats-new-in-content-3014 

    I did not find this documented for the 3.0.13IF1 or later; I assume you might want to raise a case if you want to be more specific.



    ------------------------------
    Mathias Korell
    ------------------------------



  • 3.  RE: Edit Service Client - SAML2 SSO with Navigator

    Posted Wed July 26, 2023 04:05 PM

    There isn't a whole lot to say about the new feature...

    • With this authentication improvement, once the user successfully authenticates through ICN web, he is no longer required to authenticate again when using the Edit Service client.
    • This feature enhancement applies to both Single Sign-On (SSO) environments and non-SSO environments for Edit Services.

    And as noted in the What's New section, these are the special cases where authentication is still required from the Edit Service client.

    • A custom Identity Provider (IdP) server is used, which applies a token exchange mechanism during authentication.
    • When the Edit Service client is started after the user already authenticated in IBM Content Navigator from the browser. In this situation, the user needs to refresh the browser page to allow the web to send the authentication token to the Edit client again. If the user does not refresh the browser, the Edit client resorts to the previous method of authentication and opens an authentication window.
    • A custom certificate is used and the password for the custom certificate is stored in the IBM Content Navigator database. In this case, the Edit client needs to retrieve the custom certificate password from the IBM Content Navigator database upon launch. This retrieval process requires authentication.
    • A user has unsaved document changes to the local workstation that results from a lost network connection or from other reasons. The network becomes online and tries to upload the unsaved changes.


    ------------------------------
    RUTH Hildebrand-Lund
    ------------------------------



  • 4.  RE: Edit Service Client - SAML2 SSO with Navigator

    Posted Thu July 27, 2023 02:38 PM

    In the meantime we found out (by analyzing the behavior in detail by one of our developers) that for the new feature changes in 3.0.14 have been made by IBM to the  Navigator application as well as to the NES. So for being able to use the new feature it would be necessary to install Navigator 3.0.14 as well as NES 3.0.14. Could you confirm this?

    In our customers environment Navigator 3.0.11 is deployed. Customers strategy is to only use LTSR versions. So in our first approach we tested the new feature with Navigator 3.0.11 with NES 3.0.14. Because according the compatibility matrix this combination is supported we thought this would work. But it didn't.

    As using Navigator 3.0.14 is no issue for the customer (not LTSR) we assume that for customers new SSO requirement we probably have to take a closer look to the SSO behavior of NES 3.0.13-IF001. We've been informed that in the context of another Filenet P8/Navigator application from our customer a change regarding SSO behavior between Navigator and NES (use of common session cookie?) has been initiated by an IBM Consultant. 

    Question to the in the What's New Section listed special cases where authentication is still required from the Edit Service client: what is exactly meant with the first bullet? Would that mean that ANY IdP server with uses SAML2 would be such a special case?

     Thanks for your support!



    ------------------------------
    Paul de Jong
    DXC Switzerland GmbH
    ------------------------------



  • 5.  RE: Edit Service Client - SAML2 SSO with Navigator

    Posted Thu July 27, 2023 02:40 PM

    In the meantime we found out (by analyzing the behavior in detail by one of our developers) that for the new feature changes in 3.0.14 have been made by IBM to the  Navigator application as well as to the NES. So for being able to use the new feature it would be necessary to install Navigator 3.0.14 as well as NES 3.0.14. Could you confirm this?

    In our customers environment Navigator 3.0.11 is deployed. Customers strategy is to only use LTSR versions. So in our first approach we tested the new feature with Navigator 3.0.11 with NES 3.0.14. Because according the compatibility matrix this combination is supported we thought this would work. But it didn't.

    As using Navigator 3.0.14 is no issue for the customer (not LTSR) we assume that for customers new SSO requirement we probably have to take a closer look to the SSO behavior of NES 3.0.13-IF001. We've been informed that in the context of another Filenet P8/Navigator application from our customer a change regarding SSO behavior between Navigator and NES (use of common session cookie?) has been initiated by an IBM Consultant. 

    Question to the in the What's New Section listed special cases where authentication is still required from the Edit Service client: what is exactly meant with the first bullet? Would that mean that ANY IdP server with uses SAML2 would be such a special case?

     Thanks for your support!



    ------------------------------
    Paul de Jong
    DXC Switzerland GmbH
    ------------------------------



  • 6.  RE: Edit Service Client - SAML2 SSO with Navigator

    Posted Thu July 27, 2023 09:17 PM

    Hi Paul,

    1. Yes, ICN and Edit client must both upgrade to 3.0.14 in order to use this new feature since we have code change both on server and client side. 

    2. Edit client 3.0.14 is compatible with ICN server 3.0.11 but this new feature cannot be used. 

    3. No, we don't have any SSO behavior changes in NES 3.0.13-IF001. We updated Edit client's SSL certificate from NES 3.0.13-IF001 because of SSL certificate refresh and that requires all the customers upgrade their Edit client to that version or later. Here is the tech note about this change: https://www.ibm.com/support/pages/node/6123603

    4. No, that does NOT mean ANY IdP server with uses SAML2 would be such a special case. The key point is the custom IDP server uses token exchange mechanism. With this mechanism, the application authentication token c