About this task

SAML authentication allows a user to authenticate once with a designated identity provider (IdP), after which the user can access any server that is partnered with the IdP. Both Notes client and web client users can make use of SAML-based authentication. Authentication depends upon signed XML identity assertions. The result for the user is transparent authentication and single-sign on with one-time authentication for multiple Domino web servers and applications, as well as any third-party applications that are also partnered with the IdP. The IdP determines the method of the one-time authentication; it might prompt the user for a password, or use a non-password authentication methods such as Integrated Windows™ authentication (SPNEGO/Kerberos) for users within an intranet.

There are four cases in which an organization may use SAML authentication. Your organization may need any or all of the configurations.

• For Notes client users on Windows, Mac or Citrix, SAML authentication can be configured to authenticate users to the ID vault. With this configuration, when users launch the Notes client, they are presented with a login page from the IdP to authenticate and download their IDs from the ID Vault. This configuration is referred to as Notes Federated Login.
• For Notes client users on Windows or Citrix whose operating systems are joined to a Microsoft Active Directory domain, SAML authentication can facilitate a single-sign on solution, with Active Directory Federated Services (ADFS) configured for Integrated Windows™ authentication (IWA). SAML authentication at Notes client startup is referred to as Notes federated login with Integrated Windows Authentication (IWA). As a bonus, the HTTP server task does not need to be run on the Domino vault server, because the HTTP portion of SAML is handled within the Notes client.
• For HCL Nomad for web browser users. With this configuration, when users initially set up Nomad, they are presented with a login page from the IdP to authenticate and download their IDs from the ID Vault. They don't need to provide a Notes ID password. This configuration is referred to as Nomad federated login. For all of the details on this configuration, go directly to the topic Nomad federated login.
• For web client users such as HCL iNotes® users or HCL Verse users, SAML authentication also facilitates a single-sign on solution in which the user’s ID file is downloaded from the Notes ID vault. This type of SAML authentication is referred to as Web federated login, and allows iNotes or Verse users to use secure mail operations.
• For users of other applications on Web servers, SAML-based single sign-on is an alternative to another method of single sign-on (SSO) already available in Domino: multi-session server authentication. SAML is most useful when your Domino environment includes third-party Web applications whose services your users access, or if multi-session server authentication is too limiting for your organization -- for example if the target environment requires SSO across DNS domains.

Compatibility

The following table lists client configurations with which SAML is not compatible or only partially compatible.

Table 1. Client configurations incompatible with SAML federated login

If your organization uses...	SAML is not recommended because...
Smartcard protected ID	Federated login user IDs cannot be Smartcard protected IDs, because the ID vault required for Notes federated login cannot be used with a Smartcard protected ID.
Notes roaming user whose ID file is stored on the server in a roaming personal address book.	Federated login users cannot be Notes roaming users whose IDs are stored in a roaming personal address book, because the ID vault required for Notes federated login cannot be used with Notes IDs stored in a roaming personal address book.
Notes on a USB device	Federated login cannot be used with Notes on a USB device, because the ID vault required for Notes federated login cannot be used with Notes on a USB device.
Notes user IDs with multiple passwords	Federated login user IDs cannot be Notes user IDs with multiple passwords, because the ID vault required for Notes federated login and cannot be used with IDs that have multiple passwords.
Server-based password checking for Notes users	Disable this feature on server platforms when configuring all Notes users for Notes federated login. Password checking can be enforced for non-federated login users, but cannot be enforced for federated login users.
Notes Single Login component installed with the Notes client	This configuration is not supported with Notes federated login.
Notes basic client, Domino administrator client	These clients are not supported with Notes federated login. The Notes standard client is required.

Procedure

Perform the following tasks.

Preparing for SAML authentication
Complete the steps in this section before you configure SAML authentication in Domino

Configuring basic SAML authentication for Web servers
Basic SAML authentication for Web servers allows browser clients to access the Domino Web server by authenticating with SAML. Complete the following tasks to enable basic SAML authentication for Web servers.

Configuring ID vault servers for Notes or Web federated SAML login
Complete the steps in this section if you want to use Web federated login or Notes federated login. After enabled, iNotes users and Notes client users, respectively, access the Notes ID file in the ID vault without being prompted for the password. If your IdP is ADFS, you can also configure Integrated Windows Authentication (IWA) so that iNotes users or Notes clients users aren't prompted for the IdP name and password.

Enabling Web federated login
Enable Web federated login to allow iNotes users to perform secure operations such as signing and decrypting messages without being prompted for a Notes ID password.

Enabling Notes federated login
Enable Notes federated login to allow Notes clients users to start Notes and perform secure operations without being prompted for a Notes ID password.

Nomad federated login
Nomad federated login avoids users being prompted for their HCL Notes ID passwords when they set up the HCL Nomad for web browsers client. Instead, they are prompted only for credentials from a SAML identity provider (IdP) that is accessed through the Nomad server (SafeLinx); the users don't need to enter their Notes ID passwords.

Enabling IWA (ADFS only)
When Integrated Windows Authentication (IWA) is used, users on Windows clients are not prompted for the ADFS login name and password when they access servers on the corporate intranet. IWA is available for basic SAML authentication, Notes federated login, and Web federated login.

Generating a certificate to encrypt SAML assertions
Your organization may require SAML assertions to be encrypted if assertions include attributes that contain sensitive personal data, for example, social security numbers. Domino encrypts entire SAML assertions; partial encryption of specific attributes is not available.

Cautioning client users about SAML and logout
Domino and Notes do not support a single logout feature, so if you configure SAML in your organization, make sure that your users employ safety methods at their desktops to prevent physical access to Notes and Domino resources.

Help on Help

All Help Contents

Help on Help