Preparing Active Directory Federation Services (ADFS)

If your IdP is Microsoft Active Directory Federation Services (ADFS), complete these steps to prepare to use ADFS with Domino.

About this task

These steps are based on ADFS 4.0 and may vary if you use an earlier version.

Procedure

  1. Verify that you meet the following requirements:
    • One of the following versions of ADFS installed and configured:
      • 2.0 (Provided with Windows Server 2008 R2)
      • 3.0 (Provided with Windows Server 2012 R2)
      • 4.0 (Provided with Windows Server 2016)
    • A Secure Sockets Layer (SSL) certificate on the ADFS server that is signed by a Certificate Authority (CA). The CA root cert should be deployed by a domain policy to clients, an ADFS best practice.
    • The following components must be in the same Active Directory domain, unless Active Directory trust relationships are in place:
      • ADFS server
      • User records
      • Client computers from which users log in. (Integrated Windows Authentication only)
  2. Verify that your ADFS server is operational. For steps, see the Microsoft article Verify That a Federation Server Is Operational.
  3. Go to https://<ADFS server hostname>/adfs/ls/IdpInitiatedSignon.aspx and test that a user can log in.
    • If you see the error This page cannot be displayed, enable the IdP sign on page:
      1. In a Windows PowerShell on the ADFS server, run the following command:
        Get-AdfsProperties
      2. See if the line EnableIdpInitiatedSignonPage in the output is False:
        EnableIdpInitiatedSignonPage    :False
      3. If the value is False, run the following command to set it to True:
        set-ADfsProperties -EnableIdPInitiatedSignonPage $true
      4. Run the following command to confirm the change:
        Get-AdfsProperties
      5. Restart the ADFS service.
  4. Verify that the content of the following two fields match for each user:
    • The Internet address field in the Domino directory Person document.
    • The E-mail field in the user ADFS properties box.
  5. Optional: If you will use Integrated Windows Authentication, it may need to be enabled in browsers. For more information, see Configure browsers for Integrated Windows Authentication.
    Note: User login names are not the same as their email addresses, though they can look like email addresses.