Search

Twitter

Domino Upgrade

VersionSupport end
5.0
6.0
6.5
7.0
8.0
8.5
Upgrade to 9.x now!
(see the full Lotus lifcyle) To make your upgrade a success use the Upgrade Cheat Sheet.
Contemplating to replace Notes? You have to read this! (also available on Slideshare)

Languages

Other languages on request.

Visitors

Useful Tools

Get Firefox
Use OpenDNS
The support for Windows XP has come to an end . Time to consider an alternative to move on.

About Me

I am the "IBM Collaboration & Productivity Advisor" for IBM Asia Pacific. I'm based in Singapore.
Reach out to me via:
Follow notessensei on Twitter
(posts)
Skype
Sametime
IBM
Facebook
LinkedIn
XING
Amazon Store
Amazon Kindle
NotesSensei's Spreadshirt shop

« Now that you can have embedded experiences in Notes, you need to send them | Main| What to do with Save & Replication conflicts »

Avoiding login prompts in mobile approvals

QuickImage A customer posted an interesting question: "We send eMail notifications in our workflow applications. Our users don't want to be password prompted when following that link from their mobile devices. What are my options?".
While the Notes client can handle automatic authentication (especially with embedded experiences), in iNotes LTPA has logged you in and on PC platforms Single SignOn is well established, mobile device are trickier.
The "big" solutions would entail some form of Mobile Device Management (MDM), but that's nothing you want to deploy just for one app in question. You do want to plan MDM, but that's a story for another time (IBM recommends to do that in the context of an overall Endpoint management plan).
I see different possible approaches to get around the password prompt:
  • Use a VPN:
    A good VPN server can communicate with the reverse proxy and provide an LTPA token automatically. Sample code is available for Big-IP F5 and LotusIBM Mobile Connect. Implementing it for other VPN/Reverse Proxy combinations should be possible - check out Puakma SSO and talk to webWise
  • Use X509:
    After you deploy X509 certificates onto Android or iOS you can set the Domino Internet site document for your application to require X509 authentication. Since the certs are deployed on the device no additional prompt is required (of course that depends on how you secured the certs)
  • Go native:
    In a native (or almost native) application you can locally store the access credentials. You read/write data via JSON and https calls. Not too far off: use OAuth to authorise your mobile app.
  • Update (thx Mark, Per): Use OpenNTF's "Auto Login" project
I like the approach using a VPN with LTPA generation best since it saves you the trouble of managing the X509 certificates and adds a security layer on top
As usual YMMV

Comments

Gravatar Image1 - Imho a simple URL containing a secret key pointing to an anonymous agent that process the workflow is safe enough for most companies.

Gravatar Image2 - The URL as sole authentication never passes a security audit. While it would make it harder to "guess" the URL (and leave evidence in the logs when you script the guessing), it would allow a simple forward to let somebody else do the approval. Security by obscurity is tempting, but not secure.

Gravatar Image3 - This is an interesting post you've made Stephan. (Sorry this sounds like a plug.. it's not meant to be).

When we started Mobilite we had to wrestle with authentication on mobile browsers. We tried a number of things, but we came to rely on LtpaToken. The way it's built into the Domino server made it quite easy and consistent to manage user identity and access to databases without changing the ACL. As we evolve our solution, this authentication technology will keep up with us. As long as you have rest-like services, building it into your applications is relatively easy for native or browser based apps. We find customers like using VPNs as well to secure the line.

Gravatar Image4 - How about adding a "Remember me for x days" option to the login form? That would make using the application a lot easier, since it only asks for your password if the "remember me" has expired.

A (supposedly) secure method to do so using a cookie is described here. It doesn't store the actual users' credentials in the cookie (of course...).

I implemented that method for Domino in the "Auto Logins for Domino/ XWork" project on OpenNTF. After a user has signed in, it issues a cookie containing a random key and uses that key the next time to validate a user and create a LtpaToken.

Gravatar Image5 - @Giulio: I like the LTPA approach too
@Mark: The remember me approach is also a viable solution.
@Mikkel: a temporary token also works - banks call them TAN Emoticon

Disclaimer

This site is in no way affiliated, endorsed, sanctioned, supported, nor enlightened by Lotus Software nor IBM Corporation. I may be an employee, but the opinions, theories, facts, etc. presented here are my own and are in now way given in any official capacity. In short, these are my words and this is my site, not IBM's - and don't even begin to think otherwise. (Disclaimer shamelessly plugged from Rocky Oliver)
© 2003 - 2014 Stephan H. Wissel - some rights reserved as listed here: Creative Commons License
Unless otherwise labeled by its originating author, the content found on this site is made available under the terms of an Attribution/NonCommercial/ShareAlike Creative Commons License, with the exception that no rights are granted -- since they are not mine to grant -- in any logo, graphic design, trademarks or trade names of any type. Code samples and code downloads on this site are, unless otherwise labeled, made available under an Apache 2.0 license. Other license models are available on written request and written confirmation.