ShowTable of Contents
This article describes each of the methods that are available to authenticate clients that are supported by the IBM SmartCloud® Notes® service. It includes descriptions of each of the following methods:
- SmartCloud for Social Business account identity and password authentication
- SAML federated identity authentication
- SmartCloud for Social Business account identity and application password authentication
- IBM® Notes NRPC authentication
- Hosted BlackBerry® Services user authentication
The following summary tables are also included:
- Authentication methods by SmartCloud Notes client
- Password rules by authentication method
- Mobile device password rules
See the end of the article for additional resources.
SmartCloud for Social Business account identity and password authentication
The SmartCloud for Social Business account identity and password is used to authenticate the following types of SmartCloud Notes users:
- SmartCloud Notes web users (optional)
- Notes Traveler device users (optional)
- Internet Message Access Protocol (IMAP) client users
- File Transfer Protocol (FTP) client users who connect to the integration server to download journal files or upload user account change files
Administrators specify account identities and temporary passwords when they create user accounts. Users change the passwords after they log in to the service for the first time. If users start with collaboration subscriptions and SmartCloud Notes subscriptions are added later, the users use their existing account identities and passwords to log in to the service to access their mail.
The account identity is specified the Email field in the user account. In SmartCloud Notes hybrid environments, and in some situations in service-only environments, the account identity does not control the value of the Internet address that is used for mail routing. For more information, see the link to the wiki article "What You Should Know Before You Change a SmartCloud Notes User's Name" in the Additional resources section.
Administrators or users can change account passwords.
For information on password rules used for the SmartCloud for Social Business account password, see the section "Password rules by authentication method".
SAML federated identity authentication
Customers can use their own Security Assertion Markup Language (SAML) 1.1 or 2.0 identity provider to authenticate users of SmartCloud for Social Business web applications, including SmartCloud Notes web. When users attempt to access a SmartCloud for Social Business service from a browser, a SAML assertion is sent from your organization to the SAML endpoint in SmartCloud for Social Business. The SmartCloud for Social Business service uses the SAML assertion to identify the user in a cryptographically secured fashion and then to determine whether to allow the user to access its service.
SAML federated identity management provides the following benefits to web users:
- It allows the company to control the type of authentication and authentication options. For example, you might restrict access to specific networks, use VPN connections, define custom password strength or password expiration periods, use smartcards, or require two-factor authentication.
- Users can use their familiar, on-premises credentials to access the cloud service.
- While users are logged on to the on-premises identity provider, they can access a SmartCloud for Social Business service without being re-prompted for credentials.
SAML federated identity management cannot be used to authenticate the following SmartCloud Notes clients:
- Mobile clients
- IMAP clients
- Notes clients
- FTP clients that access SmartCloud for Social Business integration server to download journaling files or to upload user account change files.
The time required to prepare for SAML federated identity management depends on factors such whether a supported SAML identity provider is already implemented at your organization, and your knowledge and experience with SAML, SSO, LDAP, and related technologies. Preparation tasks include implementing SAML on a web server, configuring a private- and public-key pair to use for digital signatures, and integrating your directory server with SAML. Initial steps also involve setting up a proof of concept partnership against a SmartCloud for Social Business test environment.
After your on-premises preparation is complete, a SmartCloud for Social Business customer service representative enables federated identity management for your organization in the service. You tell the customer service representative which of the following login options to enable. The option you choose determines whether users are required to use federated identities to log in to the service or whether they have the option to continue to use the service account identity to log in.
Table 1. SAML federated identity login options
- All users except Notes users and Hosted BlackBerry users log in to the service using a SmartCloud for Social Business account identity and password.
- This option is the default behavior without SAML federated identity management.
- SmartCloud for Social Business account identity and password authentication is not used.
- SmartCloud Notes web users (and users of SmartCloud for Social Business collaboration applications) log in to the service using a SAML federated identity.
- You can provide a URL for an identity provider login page to the IBM customer service representative. Then web users are redirected to that page when they attempt to access a SmartCloud for Social Business service.
- To allow users who work away from the office to use SAML federated identity authentication, on-premises directory servers must be configured to allow access from the Internet.
- Notes Traveler users must log in using SmartCloud for Social Business account identity and application passwords. For more information, see the section on SmartCloud for Social Business account identity and application password authentication.
- IMAP clients cannot be used.
- FTP clients cannot be used to connect to the integration server to download journal files or to upload change files to manage user accounts.
- Users choose whether to log in using the SAML federated identity.
- SmartCloud Notes web users (and users of SmartCloud for Social Business collaboration applications) who are located at the office within the corporate intranet can use the SAML federated identity to log in.
- SmartCloud Notes web users (and users of SmartCloud for Social Business collaboration applications) away from the office can use the SmartCloud for Social Business account identity and password to log in. Directory servers are not required to be accessible from the Internet.
- Notes Traveler users are not required to use application passwords.
- IMAP clients can be used.
- An FTP client can be used to connect to the integration server in the service to download journal files or to upload change files to manage user accounts.
- Company administrators assign the login type (Non-federated, Federated, Modified) on a per-user basis.
- This option allows you to customize settings for specific types of users.
SmartCloud for Social Business account identity and application password authentication
Authentication with SmartCloud for Social Business account identities and application passwords is useful to provide a secure login for applications that do not support forms-based authentication. In the SmartCloud Notes context, this type of authentication can be used for Notes Traveler devices.
If you enable the Federated (full-federated) SAML federated identity option, you must enable application passwords for users of Notes Traveler, which does not supported SAML federated identity authentication.
Company administrators enable the applications passwords feature through the organization SmartCloud for Social Business Security settings. If you do not use SAML federated identity authentication, you have the option to require the use of application passwords. Although you can set application passwords to expire after a period of time, selecting No expiration instead is recommended.
Users generate application passwords themselves through their SmartCloud for Social Business My Account Settings. Application passwords are generated using a cryptographically strong random number generator. They are 16 characters long, are not case sensitive, and cannot be changed by the user. If multiple Notes Traveler users share a user account, each user can generate a separate password.
When users log in to Notes Traveler with an application password, the device remembers the password so that users are not required to provide it again. If users forget the password when they first attempt to log in with it, they can revoke it and generate a new password.
You can restrict users to logging in to web applications through configured IP ranges. Usually you restrict login to IP ranges to your corporate network to provide a level of protection against user credentials being stolen or phished. When you restrict IP ranges, you can use the application password setting Ignore IP range restrictions for applications to allow users such as mobile users to bypass these IP restrictions. When you allow users to bypass IP restrictions, application passwords provide additional password strength. If a mobile device is lost or stolen, administrators can disable IP restriction bypass to prevent access from outside the designated IP range. Users or administrators can also revoke application passwords, rendering a lost or stolen device unable to authenticate into the service again after the current authentication session expires.
Notes (NRPC) authentication
When users connect to their SmartCloud Notes mail servers in the cloud with Notes clients, they are authenticated using Notes Remote Procedure Call (NRPC) authentication.
In hybrid environments, each company provides a certifier to be used to name and certify mail servers in the service. If any users are certified under a different parent certifier than this mail server certifier, cross certificates must be issued between certifiers to enable the users to access their mail servers. For example, to enable user Allie Singh/PowerRenovations to access the mail server Mail1/SCN/Renovations, a cross-certificate must be issued from /Renovations (or /SCN/Renovations) to /PowerRenovations, and vice versa, to establish trust. Similar cross-certificates would be required to allow on-premises Domino® servers that are under a different parent certifier than your mail server certifier to connect to the service. If required cross-certificates exist for on-premises purposes, you do not need to re-create them.
In service-only environments, and in hybrid environments that do not use on-premises security policy settings to configure password requirements, Notes IDs passwords must be at least eight characters. Passwords must also have a password quality of 8, on a quality scale of 0 (weakest) to 16 (strongest). Password quality refers to the required character complexity of passwords. In hybrid environments, you can use on-premises security policy settings to control password requirements.
By default, Notes ID passwords do not expire and keeping this default behavior is recommended. For more information, see the section "Password rules by authentication method". Nevertheless, you can configure a password expiration interval of from 30 to 3650 days through the SmartCloud Notes Administration interface. In hybrid environments, you do not control password expiration through an on-premises policy, but you can use a policy to enable a warning to be displayed to users when their passwords are due to expire.
If users forget their Notes ID passwords, company administrators can use the SmartCloud Notes Administration interface to reset the passwords to temporary values. The users use the temporary passwords to log in to the service from a Notes client and then are prompted to change the passwords.
The Notes shared login feature is supported in hybrid environments. This feature allows users to log in to Microsoft Windows and then use the Notes client without providing a Notes ID password. A benefit of this feature is there are no Notes ID passwords to use or remember.
The Notes client can connect automatically to the SmartCloud instant messaging community and to SmartCloud Activities through the client sidebar. (Access to SmartCloud Activities requires a collaboration subscription). After users log on to SmartCloud Notes from the Notes client, a single-sign on capability enables them to access these SmartCloud services during the session without providing their SmartCloud account login credentials. A Notes client can be configured to connect to both on-premises and cloud Sametime® or Activities servers through the sidebar. In this case, users must provide their SmartCloud account login credentials to access the cloud servers.
Hosted BlackBerry Services authentication
Users with SmartCloud Notes for Hosted BlackBerry® Services subscriptions authenticate against a Research in Motion® data center. To activate their BlackBerry devices for use with the service, users provide their Internet email addresses and a one-time activation password. Activation associates devices to user accounts. Company administrators or users can create the activation passwords. Users have 48 hours to activate their devices. If the 48-hour period expires, a new activation password must be created.
After activation, devices securely identity themselves with the service. Device passwords are required. See the section "Mobile device password rules" for device password requirements.
Authentication methods by SmartCloud Notes client
The following table lists the authentication methods supported for each type of SmartCloud Notes client.
Table 2. Authentication methods by SmartCloud Notes client
Supported SmartCloud Notes clients
SmartCloud for Social Business account identity and password
- SmartCloud Notes web
- Notes Traveler
- FTP client to connect to the integration server to download journal files or to upload change files to manage user accounts
SAML Federated Identity
SmartCloud Notes web
SmartCloud for Social Business account identity and application password
Research in Motion data center authentication
BlackBerry devices that access the service through Hosted BlackBerry subscriptions
Password rules by authentication method
Table 3. Password rules by authentication method
SmartCloud for Social Business account password
- At least eight characters
- At least four alphabetic characters
- At least one non-alphabetic character
- No spaces
- No more than two consecutive characters
- No match of any of the eight previous passwords
- Cannot contain user name or email address
- Disabled by default.
- Administrators can enable a password expiration interval of 30, 60, or 90 days.
SAML Federated Identity
Controlled by company
Controlled by company
Controlled by company
SmartCloud for Social Business application passwords
16 characters (non-case sensitive)
- Disabled by default
- Administrator can enable
- Password changes not allowed
- Administrator or users can revoke passwords and users can then generate new ones
In service-only environments, and in hybrid environments that do not use policy security settings to configure password requirements, Notes IDs must be at least eight characters and have a password quality of 8, on a password quality scale of 0 (weakest) to 16 (strongest).
- Disabled by default.
- Administrator can enable through SmartCloud Notes Administration
1 While it may seem that requiring passwords to expire provides more security, most security experts believe the opposite is actually true. Password expiration often leads to the use of simpler, more easily-guessed passwords, and to users writing down passwords to remember them. A better policy is to use more complex password phrases that do not expire, whenever possible. In addition to providing better security, this policy also reduces the number of help desk calls generated from users who forget their ever-changing passwords.
Mobile device password rules
The following table describes the password rules for SmartCloud Notes mobile devices. These rules are separate from the authentication passwords described in the previous table.
Table 4. Mobile device password rules
Device password rules
Device password expiration
- At least four characters1
- Auto lock after 30 minutes 1
Apple 5S device users choose whether to enable the fingerprint identity sensor. If they enable the sensor, they are not required to enter the device password when they unlock the device. They are still prompted for the device password when they power on the device and at least once every 48 hours.
For Apple devices, three or more consecutive numbers or characters are not allowed. A series of three or more ascending or descending numbers or characters are not allowed. Disabling the Prohibit ascending, descending and repeating sequences policy setting in hybrid environments does not override these requirements.
1 In hybrid environments, you cannot disable the password requirement, but you can use policies to customize password settings.
- In service-only environments, passwords always expire after 90 days.
- In hybrid environments, passwords expire after 90 days, by default. On-premises policies can be used to disable password expiration or to change the expiration period.
BlackBerry devices used with a Hosted BlackBerry Services subscription.
- At least eight characters
- Auto lock after 30 minutes
- At least one alphabetic character
- At least one numeric character
- Different than the previous eight passwords
Expiration after 90 days (required)
See the following additional resources: