Completing Domino prerequisites for SAML

Complete the following Domino configuration that is required by SAML.

Directory name mapping (ADFS only)

If user addresses in the Active Directory mail attribute are identical to addresses in the Internet Address field in Domino directory Person documents, no additional directory configuration is required. If not, you must add the Notes distinguished name to an Active Directory attribute such as altSecurityIdentities. Then, configure directory assistance to use that attribute to map Domino names to names in Active Directory. For more information, see Using Notes distinguished names in a remote LDAP directory.

Single Sign-on

If users will access more than one Domino server or WebSphere and Domino servers, single sign-on is required. Configure single sign-on and test that it works before configuring SAML authentication. Using multi-server session authentication rather than single-server session authentication is a best practice. For more information, see Multi-server session-based authentication (single sign-on).

SSL certificate

If HTTPS connections are required between Domino and your IdP (as for ADFS), configure a key ring file with a valid SSL certificate on Domino servers. The certificate should be generated from a Certificate Authority (CA) rather than be self-signed; most current browsers do not support self-signed certificates. For information, see the article Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation in the Notes and Domino wiki.
Note: If you use only Notes federated login and not basic Web SAML authentication or Web federated login, an SSL certificate is not required on Domino servers. With Notes federated login, neither Notes client nor ADFS servers connect to Domino server over HTTPS.

ID Vault

For Web federated login or Notes federated login, an ID vault must be set up and participating users must have IDs in the vault. Ensure that users are assigned to a vault through Security policy settings. For more information, see Assigning users to a vault.

Be sure to enable iNotes to use the vault. To see whether an iNotes user’s ID file is uploaded to the vault, a vault administrator can open the ID vault application and check for the user's name in the Vault Users view. For more information, see Enabling programs that store IDs in databases to use a vault.

Notes clients users can confirm that their IDs are in the vault. To do so, they click File > Security > User Security and verify that This ID file has been backed up into vault is shown.This ID file has been backed up into vault setting

Security settings

Configure the following security settings:
  • Disable the field Enforce Internet Password Lockout on the Security tab of the server Configuration document.
  • Disable any Web password management settings, such as synchronizing the Notes® client password with the Internet password, that are enabled in security policies that are assigned to SAML users.

Domino Web server testing (Recommended)

Because SAML configuration requires cooperating configuration for Domino® and for the identity provider (IdP), Domino® Web server configuration should first be fundamentally sound when being used independently of an IdP. Therefore, before configuring SAML, consider setting up the Domino® HTTP server for single-server session authentication. This task includes configuring Domino® to log in as a Web user (for example, the Domino® administrator that has been configured in the Domino® Directory during the Domino® server setup). After you as this administrator are able to log in as the Domino® user, successfully browsing to URLs on the Domino® server, the server is ready for SAML configuration and enablement.

Clock synchronization

Important: SAML authentication includes timestamps. Ensure that the SAML IdP computer and the Domino® SAML service provider computer have their clocks synchronized so that these computers share the same notion of current time. If clocks are too far out of sync, a SAML assertion may be rejected because the assertion appears to have an invalid time. This is particularly problematic if the IdP machine time is ahead of the Domino® server time, so that Domino® rejects an assertion which appears to specify a future time.
For information on NOTES.INI settings that may avoid clock skew, see the following articles in the Notes and Domino wiki: