Preparing Active Directory Federation Services (ADFS)

If your IdP is Microsoft Active Directory Federation Services (ADFS), complete these steps to prepare to use ADFS with Domino. make sure you meet the following requirements before you configure SAML in Domino®.

About this task

These steps are based on ADFS 4.0 and may vary if you use an earlier version.

Procedure

  1. Verify that you meet the following requirements:
    • One of the following versions of ADFS installed and configured:
      • 2.0 (Provided with Windows Server 2008 R2)
      • 3.0 (Provided with Windows Server 2012 R2)
      • 4.0 (Provided with Windows Server 2016)
    • A Secure Sockets Layer (SSL) certificate on the ADFS server that is signed by a Certificate Authority (CA). The CA root cert should be deployed by a domain policy to clients, an ADFS best practice.
    • The following components must be in the same Active Directory domain, unless Active Directory trust relationships are in place:
      • ADFS server
      • User records
      • Client computers from which users log in. (Integrated Windows Authentication only)
  2. Verify that your ADFS server is operational. For steps, see the Microsoft article Verify That a Federation Server Is Operational.
  3. Go to https://<ADFS server hostname>/adfs/ls/IdpInitiatedSignon.aspx and test that a user can log in.
    • If you see the error This page cannot be displayed, enable the IdP sign on page:
      1. In a Windows PowerShell on the ADFS server, run the following command: 
        Get-AdfsProperties
      2. See if the line EnableIdpInitiatedSignonPage in the output is False: 
        EnableIdpInitiatedSignonPage    :False
      3. If the value is False, run the following command to set it to True:
        set-ADfsProperties -EnableIdPInitiatedSignonPage $true
      4. Run the following command to confirm the change: 
        Get-AdfsProperties
      5. Restart the ADFS service.
    • If you are unable to log in with Internet Explorer, verify that the browser is enabled for Integrated Windows Authentication:
      1. In Internet Options > Advanced, verify that the security setting Enable Integrated Windows Authentication is checked.
      2. In Internet Options > Security, click Sites and then Advanced. Add the ADFS server URL (https://<ADFS server>) to the list of websites.
  4. Verify that the content of the following two fields match for each user:
    • The Internet address field in the Domino directory Person document.
    • The E-mail field in the user ADFS properties box.
    Note: User login names are not the same as their email addresses, though they can look like email addresses.