Preparing Active Directory Federation Services (ADFS)
If your IdP is Microsoft™ Active Directory
Federation Services (ADFS), complete these steps to prepare to use ADFS with Domino.
About this task
Procedure
-
Verify that you meet the following requirements:
- One of the following versions of ADFS installed and configured:
- 2.0 (Provided with Windows Server 2008 R2)
- 3.0 (Provided with Windows Server 2012 R2)
- 4.0 (Provided with Windows Server 2016)
- A Secure Sockets Layer (SSL) certificate on the ADFS server that is signed by a Certificate Authority (CA). The CA root cert should be deployed by a domain policy to clients, an ADFS best practice.
- The following components must be in the same Active Directory domain, unless Active Directory
trust relationships are in place:
- ADFS server
- User records
- Client computers from which users log in. (Integrated Windows™ Authentication only)
- One of the following versions of ADFS installed and configured:
- Verify that your ADFS server is operational. For steps, see the Microsoft article Verify That a Federation Server Is Operational.
-
Go to https://<ADFS server hostname>/adfs/ls/IdpInitiatedSignon.aspx
and test that a user can log in.
- If you see the error This page cannot be displayed, enable the IdP sign on page:
- In a Windows PowerShell on the ADFS server, run the following command:
Get-AdfsProperties
- See if the line
EnableIdpInitiatedSignonPage
in the output isFalse
:EnableIdpInitiatedSignonPage :False
- If the value is
False
, run the following command to set it toTrue
:set-ADfsProperties -EnableIdPInitiatedSignonPage $true
- Run the following command to confirm the change:
Get-AdfsProperties
- Restart the ADFS service.
- In a Windows PowerShell on the ADFS server, run the following command:
- If you see the error This page cannot be displayed, enable the IdP sign on page:
-
Verify that the content of the following two fields match for each user:
- The Internet address field in the Domino directory Person document.
- The E-mail field in the user ADFS properties box.
- Optional:
If you will use Integrated Windows Authentication, it may need to be enabled in
browsers. For more information, see Configure browsers for Integrated Windows Authentication.
Note: User login names are not the same as their email addresses, though they can look like email addresses.