Using Security Assertion Markup Language (SAML) to configure federated-identity authentication
Federated identity is a means of achieving single sign-on, providing user convenience and helping to reduce administrative cost. In Domino® and Notes®, federated identity for user authentication uses the Security Assertion Markup Language (SAML) standard from OASIS.
About this task
SAML authentication allows a user to authenticate once with a designated identity provider (IdP), after which the user can access any server that is partnered with the IdP. Both Notes® client and web client users can make use of SAML-based authentication. Authentication depends upon signed XML identity assertions. The result for the user is transparent authentication and single-sign on with one-time authentication for multiple Domino® web servers and applications, as well as any third-party applications that are also partnered with the IdP. The IdP determines the method of the one-time authentication; it might prompt the user for a password, or use a non-password authentication methods such as Integrated Windows™ authentication (SPNEGO/Kerberos) for users within an intranet.
- For Notes® client users on Windows™ or Citrix, SAML authentication can facilitate a single-sign on solution, usually with the IdP configured for Integrated Windows™ authentication (IWA). SAML authentication at Notes® client startup is referred to as Notes® federated login. As a bonus, the HTTP server task does not need to be run on the Domino® vault server, because the HTTP portion of SAML is handled within the Notes® client.
- For web client users such as IBM iNotes users, SAML authentication also facilitates a single-sign on solution in which the user’s ID file is downloaded from the Notes® ID vault. This type of SAML authenticationis referred to as Web federated login, and allows iNotes users to use secure mail operations.
- For users of other applications on Web servers, SAML-based single sign-on is an alternative to another method of single sign-on (SSO) already available in Domino®: multi-session server authentication. SAML is most useful when your Domino® environment includes third-party Web applications whose services your users access, or if multi-session server authentication is too limiting for your organization -- for example if the target environment requires SSO across DNS domains.
The administrator can set up a Domino® server to use SAML authentication by making it a partner with an on-premises federated-identity server such as Microsoft Active Directory Federation Services (ADFS). The ADFS server becomes the identity provider (IdP), and the Domino® server is registered with it as a provider of the SAML authentication service.
Domino® supports both SAML 1.1 and SAML 2.0. The SAML version you use depends partially on your choice of identity provider. SAML 2.0 is recommended unless your organization has a specific reason to use SAML 1.1. SAML 1.1 may be required to support single sign-on with specific applications.
Identity Provider (IdP) | SAML Version |
---|---|
IBM® Tivoli® Access Manager/Tivoli Federated Identity Manager (TAM/TFIM) | SAML 1.1 or SAML 2.0 |
Microsoft™ Active Directory
Federation Services (ADFS). The following versions are supported:
|
SAML 2.0 required |
Enabling SAML authentication may have unexpected results with RSS feeds if your organization uses them.
Compatibility
If your organization uses... | SAML is not recommended because... |
---|---|
Smartcard protected ID | Federated login user IDs cannot be Smartcard protected IDs, because the ID vault required for Notes® federated login cannot be used with a Smartcard protected ID. |
Notes® roaming user whose ID file is stored on the server in a roaming personal address book. | Federated login users cannot be Notes® roaming users whose IDs are stored in a roaming personal address book, because the ID vault required for Notes® federated login cannot be used with Notes® IDs stored in a roaming personal address book. |
Notes® on a USB device | Federated login cannot be used with Notes® on a USB device, because the ID vault required for Notes® federated login cannot be used with Notes® on a USB device. |
Notes® user IDs with multiple passwords | Federated login user IDs cannot be Notes® user IDs with multiple passwords, because the ID vault required for Notes® federated login and cannot be used with IDs that have multiple passwords. |
Server-based password checking for Notes® users | Disable this feature on server platforms when configuring all Notes® users for Notes® federated login. Password checking can be enforced for non-federated login users, but cannot be enforced for federated login users. |
Notes Single Login component installed with the Notes client | This configuration is not supported with Notes federated login. |
Notes basic client, Domino administrator client | These clients are not supported with Notes federated login. The Notes standard client is required. |