Troubleshooting Nomad federated Login
If Nomad federated login is working, a user who has not set up Nomad for web browsers or Nomad for iOS can connect to the Nomad server without being prompted for a Notes ID during setup. If you encounter a problem with Nomad federated login, the following sections describe common issues and workarounds.
Message: "HCL Nomad will be setup automatically" (only for Nomad for web browsers)
When the user is asked to click Continue during setup, it is because Nomad was unable to create and access a hidden IFRAME element in the browser. This is usually because one or more of the HTTP headers from the IdP were missing or incorrect.
The browser’s console should provide more information about what is wrong.
- If the message is
Refused to frame '<url>' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'
, it is working as intended as the IFRAME is not allowed. - If the message is
The ‘Content-Security-Policy’ is incorrect
, the Content-Security-Policy header from the IdP needs to be fixed. For more information, see Configuring optional HTTP headers in the Nomad Administration documentation for appropriate modifications to SAML deployments. - If the console doesn’t contain messages from 1 or 2, the problem is likely one
or both of the following headers from the IdP:
- Cross-Origin-Embedder-Policy must be require-corp
- Cross-Origin-Resource-Policy must be cross-origin
The path of the provided scope ('/') is not under the max
scope allowed ('/nomad/')
, update the Service-Worker-Allowed HTTP
header to allow the scope. For more information on the Service-Worker-Allowed
header, see Hosting static files in the Nomad
administration documentation.User is prompted for Notes ID password
This can be caused by several configuration errors. To identify the problem,
authenticate as the user and enter the url
<hostname>/nomad/userConfig.json
and look at the resulting
text in the browser.
-
If the “deployNSF” part is missing:
- Check the SafeLinx configuration to make sure it is configured for SAML. For more information, see Configuring SAML in the SafeLinx documentation.
- Check that deploy.nsf is copied to the server. For more information, see Exporting Notes certificates to a deploy.nsf file.
-
Check the policy settings on the Domino server, as described in Enabling Nomad federated login. If the policy is not enabled, the browser console displays the following message:
Server domino/EXAMPLE reported the following problem causing authentication to fail: You are not authorized to perform this function on this server
Client fails to download the deploy.nsf database from the Nomad (SafeLinx) server (only for Nomad for web browsers)
5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] HTTP_Service::processNewSession() adjusted URI = '/deploy.nsf'
5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] LTPA_KeyHandler::decodeRSAKey: (return), rc=0
5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] start= 'u:user\:defaultRealm/CN=<username>,O=<org>%1643059074000%'
5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] nomad-web-proxy0::processLtpaSessionKey: (entry)
5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] nomad-web-proxy0::processLtpaSessionKey - cookie's LtpaToken expires in 598 minutes
5980: 2892 (Jan 24 2022/12:18:23.9180)[HTTPAS]nomad-web-proxy0::processLtpaSessionKey: auth by LtpaToken cookie
5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] AUTH_Server::mdmAuthenticate: (entry)
5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] HTTP_APPL: assigning traffic to Nomad application handler [<user_mail_address>]
5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] getServerURL(): '/deploy.nsf'
5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] getServerMapping() returns NULL
5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] setupProxyConnection: appending / and trying again
5980: 2892 (Jan 24 2022/12:18:23.9180)[WARN] setupProxyConnection: failed to assign app server for URI '/deploy.nsf/', APP_ServerMgr::assignServer(): Failed to find matching server (errno=0)
file - line: APP_ServerMgr.C - 876
5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] setup connection, elapsed time: 0ms
5980: 2892 (Jan 24 2022/12:18:23.9180)[WARN] nomad-web-proxy0: failed to setup back end connection, elapsed time: 0ms [<user_mail_address>]
5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] ConnectionFailed: URL NULL
5980: 2892 (Jan 24 2022/12:18:23.9180)[HTTPAS]httpServerResponse: HTML pkt size: 490
HTTP/1.1 404 Not Found
- Verify that deploy.nsf has been copied to the Nomad server.
- Windows only If deploy.nsf is in the default location,
<SafeLinx_install\saml, move it outside of the
install directory and use the
chwg
command to indicate its new location.