After setting up a Relying Party Trust, enable Nomad federated login in the Security
Settings policy used for the ID vault and in the ID vault document.
Before you begin
- Before you enable Nomad federated login for all Nomad users, consider enabling
the Security Settings policy for a test user and test that Nomad federated login
works for that user.
- In any security policies that are applied to Nomad users whom you plan to
include in Nomad federated login, disable synchronizing the Notes® client password with the Internet
password.
- See the table of client configurations that are incompatible with federated
login in the topic Using Security Assertion Markup Language (SAML) to configure federated-identity authentication.
Procedure
-
Enable Nomad federated login in the Security Settings policy:
-
In the Domino® Directory, open
the Security Settings policy used for Nomad users and assigned to your
organization’s ID vault.
-
Select the ID Vault tab and verify that there is
an assigned vault used by Nomad federated login.
-
Select the tab.
-
Select Yes for Enable Nomad federated login with SAML
IdP.
Note: Uncheck (clear) the Don't
set this Value field, which is checked by
default.
-
Under Additional settings for Federated Login,
select Yes for Allow password
authentication with the ID vault.
Tip: After a user has been verified to
be working with federated login, it is a recommended security
improvement to change Allow password authentication with
the ID vault to No. When
password authentication with the ID vault is not allowed, the user
is required to authenticate to the vault using federated login in
order to download the user's ID. Because this policy setting
controls Notes, Nomad, and Web behavior with the ID vault, change
the setting to No only if federated login should be used
exclusively.
Note: You may need to select
Enable Web Federated login with SAML IdP
to see this option.
-
Select the Keys and Certificates tab and
complete the following steps to add the Notes® certifier of the Nomad users to the
policy.
Note: If Notes federated login is enabled for
users who are also Nomad users, this step is completed already and
you can skip it.
- In in the Administrative Trust Defaults
section, click Update Links.
- Choose Selected supported and click
OK.
- Select the Notes Certifiers tab, select
the Organization certificates that signed the IDs of the Nomad
users, and click OK.
Note: If the IDs are signed by an Organization
Unit (OU) certificate, include all certificates in the hierarchy,
including the Organizational certificate.
-
Click Save & Close.
-
Enabled Nomad federated login in the ID vault document:
-
From the Domino® Administrator,
open the ID vault application (idvault.nsf), which
by default is stored in the IBM_ID_VAULT directory.
-
From the Configuration view, open the vault document for the vault that
contains the Nomad user IDs.
-
In the field Nomad federated login approved IdP
configurations, enter the value specified in the
Host names or addresses mapped to this site
field of the IdP Configuration document created for Nomad federated
login. For example,
nomad.vault.safelinx.renovations.com.
Note: You must include the
nomad.vault. prefix, required for proper
operation of Nomad federated login.
-
Click Save & Close.