SECURING
Nomad federated login avoids users being prompted for their HCL Notes ID passwords when they set up the HCL Nomad for web browsers client. Instead, they are prompted only for credentials from a SAML identity provider (IdP) that is accessed through the Nomad server (SafeLinx); the users don't need to enter their Notes ID passwords.
With Nomad federated login, a Domino ID vault server acts as a SAML service provider. It requests and obtains an authentication assertion from your IdP that allows it to trust a user's identity and obtain their Notes ID from the vault. The Nomad (SafeLinx) server is used for SAML communication between the Domino server and the IdP.
For information about Nomad for web browsers, see the https://help.hcltechsw.com/nomad/1.0_admin/index.html and the https://help.hcltechsw.com/nomad/1.0_web/index.html.
The following diagram illustrates the steps that occur to obtain a user's Notes ID file from the vault when a user first sets up Nomad for web browsers and Nomad federated login is configured:
1. The browser requests an ID download from the vault via the Nomad server (SafeLinx).
2. The Domino ID vault server looks up the user in the vault database. It uses an IdP configuration document in idpcat.nsf to return a signed SAML request to the browser via the Nomad server.
3. The browser sends the signed SAML request to the IdP with a previously-established session cookie.
4. The IdP authenticates the user via the cookie and returns a SAML response to the browser in an auto-posting form.
5. The browser posts the SAML response to the Nomad server.
6. The Nomad server reflects the SAML response back to the browser.
7. The browser continues the ID download request with the SAML response via the Nomad server.
8. The ID vault server verifies the SAML assertion and returns the user’s ID file.
Nomad federated login configuration components Configuring Nomad federated login involves the following components. Note that there are additional prerequisite components beyond these as described in Prerequisites for Nomad federated login.
Creating an IdP Configuration document for Nomad federated login Create an IdP Configuration document for Nomad federated login inidpcat.nsf.
Setting up a Relying Party Trust for the ID vault server used by Nomad federated login After you create the IdP configuration document for Nomad federated login and export the ServiceProvider.xml file, set up a relying party trust for your IdP to import the ServiceProvider.xml file into your IdP.
Enabling Nomad federated login After setting up a Relying Party Trust, enable Nomad federated login in the Security Settings policy used for the ID vault and in the ID vault document.
Exporting Notes certificates to a deploy.nsf file After you enable Nomad federated login, export the Notes organization certifier used by Nomad for web users to a deploy.nsf database.
Troubleshooting Nomad federated Login If Nomad federated login is working, a user who has not set up Nomad for web browsers can connect to the Nomad server without being prompted for a Notes ID during setup. If you encounter a problem with Nomad federated login, the following sections describe common issues and workarounds.