SECURING
If Nomad federated login is working, a user who has not set up Nomad for web browsers can connect to the Nomad server without being prompted for a Notes ID during setup. If you encounter a problem with Nomad federated login, the following sections describe common issues and workarounds.
Message: "HCL Nomad will be setup automatically"
When the user is asked to click Continue during setup, it is because Nomad was unable to create and access a hidden IFRAME element in the browser. This is usually because one or more of the HTTP headers from the IdP were missing or incorrect.
The browser’s console should provide more information about what is wrong.
1. If the message is Refused to frame '<url>' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self', it is working as intended as the IFRAME is not allowed.
2. If the message is The ‘Content-Security-Policy’ is incorrect, then the Content-Security-Policy header from the IdP needs to be fixed.
3. If the console doesn’t contain messages from 1 or 2, the problem is likely one or both of the following headers from the IdP:
Note: This will also prevent the configuration from continuing.
User is prompted for Notes ID password
This can be caused by several configuration errors. To identify the problem, authenticate as the user and enter the url<hostname>/nomad/userConfig.json and look at the resulting text in the browser.
Server domino/EXAMPLE reported the following problem causing authentication to fail: You are not authorized to perform this function on this server
If the browser client fails to download the deploy.nsf database, messages such as the following ones are shown in the browser console logs:
5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] HTTP_Service::processNewSession() adjusted URI = '/deploy.nsf'5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] LTPA_KeyHandler::decodeRSAKey: (return), rc=05980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] start= 'u:user\:defaultRealm/CN=<username>,O=<org>%1643059074000%'5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] nomad-web-proxy0::processLtpaSessionKey: (entry)5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] nomad-web-proxy0::processLtpaSessionKey - cookie's LtpaToken expires in 598 minutes5980: 2892 (Jan 24 2022/12:18:23.9180)[HTTPAS]nomad-web-proxy0::processLtpaSessionKey: auth by LtpaToken cookie 5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] AUTH_Server::mdmAuthenticate: (entry)5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] HTTP_APPL: assigning traffic to Nomad application handler 5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] getServerURL(): '/deploy.nsf'5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] getServerMapping() returns NULL5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] setupProxyConnection: appending / and trying again5980: 2892 (Jan 24 2022/12:18:23.9180)[WARN] setupProxyConnection: failed to assign app server for URI '/deploy.nsf/', APP_ServerMgr::assignServer(): Failed to find matching server (errno=0)file - line: APP_ServerMgr.C - 8765980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] setup connection, elapsed time: 0ms5980: 2892 (Jan 24 2022/12:18:23.9180)[WARN] nomad-web-proxy0: failed to setup back end connection, elapsed time: 0ms 5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] ConnectionFailed: URL NULL5980: 2892 (Jan 24 2022/12:18:23.9180)[HTTPAS]httpServerResponse: HTML pkt size: 490HTTP/1.1 404 Not Found
To correct the problem:
1. Verify that deploy.nsf has been copied to the Nomad server.
2. Windows only If deploy.nsf is in the default location,<SafeLinx_install\saml, move it outside of the install directory and use the chwg command to indicate its new location.
For more information, see Exporting Notes certificates to a deploy.nsf file
Parent topic: Nomad federated login