After setting up a Relying Party Trust, enable Nomad federated login in the Security Settings policy used for the ID vault and in the ID vault document.

Before you begin

• Before you enable Nomad federated login for all Nomad users, consider enabling the Security Settings policy for a test user and test that Nomad federated login works for that user.
• In any security policies that are applied to Nomad users whom you plan to include in Nomad federated login, disable synchronizing the Notes® client password with the Internet password.
• See the table of client configurations that are incompatible with federated login in the topic Using Security Assertion Markup Language (SAML) to configure federated-identity authenticationFederated identity is a means of achieving single sign-on, providing user convenience and helping to reduce administrative cost. In Domino and Notes, federated identity for user authentication uses the Security Assertion Markup Language (SAML) standard from OASIS. .

1. Enable Nomad federated login in the Security Settings policy:

a. In the Domino Directory, open the Security Settings policy used for Nomad users and assigned to your organization’s ID vault.

b. Select the ID Vault tab and verify that there is an assigned vault used by Nomad federated login.

c. Select the Password Management -> Federated Login tab.

d. Select Yes for Enable Nomad federated login with SAML IdP.


Note: Uncheck (clear) the Don't set this Value field, which is checked by default.

e. Under Additional settings for Federated Login, select Yes for Allow password authentication with the ID vault.

Tip: After a user has been verified to be working with federated login, it is a recommended security improvement to change Allow password authentication with the ID vault to No. When password authentication with the ID vault is not allowed, the user is required to authenticate to the vault using federated login in order to download the user's ID. Because this policy setting controls Notes, Nomad, and Web behavior with the ID vault, change the setting to No only if federated login should be used exclusively.

Note: You may need to selectEnable Web Federated login with SAML IdPto see this option.


f. Select the Keys and Certificates tab and complete the following steps to add the Notes certifier of the Nomad users to the policy.

Note: If Notes federated login is enabled for users who are also Nomad users, this step is completed already and you can skip it.

i. In in the Administrative Trust Defaultssection, click Update Links.

ii. Choose Selected supported and clickOK.

iii. Select the Notes Certifiers tab, select the Organization certificates that signed the IDs of the Nomad users, and click OK.


Note: If the IDs are signed by an Organization Unit (OU) certificate, include all certificates in the hierarchy, including the Organizational certificate.

g. Click Save & Close.

a. From the Domino Administrator, open the ID vault application (idvault.nsf), which by default is stored in the IBM_ID_VAULT directory.

b. From the Configuration view, open the vault document for the vault that contains the Nomad user IDs.

c. In the field Nomad federated login approved IdP configurations, enter the value specified in theHost names or addresses mapped to this sitefield of the IdP Configuration document created for Nomad federated login. For example,nomad.vault.safelinx.renovations.com.


Note: You must include thenomad.vault. prefix, required for proper operation of Nomad federated login.

d. Click Save & Close.

Complete the procedure Exporting Notes certificates to a deploy.nsf file.

Parent topic: Nomad federated login

Help on Help

All Help Contents

Help on Help