Completing Domino prerequisites for SAML

Complete the following Domino configuration that is required by SAML.

Single Sign-on

If users will access more than one Domino server or WebSphere and Domino servers, single sign-on is required. Configure single sign-on and test that it works before configuring SAML authentication. Using multi-server session authentication rather than single-server session authentication is a best practice. For more information, see Multi-server session-based authentication (single sign-on).

TLS certificate

If your users require secure HTTPS connections for accessing the Domino server, or if you have mobile clients, configure a valid TLS certificate on the Domino Web servers. The certificate should be generated from a Certificate Authority (CA) rather than be self-signed; most current browsers do not support self-signed certificates. For more information, see Managing TLS certificates with Certificate Manager.
Note: If you use only Notes federated login and not basic Web SAML authentication or Web federated login, a TLS certificate is not required on Domino servers. With Notes federated login, neither Notes client nor ADFS servers connect to Domino server over HTTPS.

Security settings

Configure the following security settings:
  • Disable the field Enforce Internet Password Lockout on the Security tab of the server Configuration document.
  • Disable any Web password management settings, such as synchronizing the Notes® client password with the Internet password, that are enabled in security policies that are assigned to SAML users.

Domino Web server testing (Recommended)

Because SAML configuration requires cooperating configuration for Domino® and for the identity provider (IdP), Domino® Web server configuration should first be fundamentally sound when being used independently of an IdP. Therefore, before configuring SAML, consider setting up the Domino® HTTP server for single-server session authentication. This task includes configuring Domino® to log in as a Web user (for example, the Domino® administrator that has been configured in the Domino® Directory during the Domino® server setup). After you as this administrator are able to log in as the Domino® user, successfully browsing to URLs on the Domino® server, the server is ready for SAML configuration and enablement.

Clock synchronization

Important: SAML authentication includes timestamps. Ensure that the SAML IdP computer and the Domino® SAML service provider computer have their clocks synchronized so that these computers share the same notion of current time. If clocks are too far out of sync, a SAML assertion may be rejected because the assertion appears to have an invalid time. This is particularly problematic if the IdP machine time is ahead of the Domino® server time, so that Domino® rejects an assertion which appears to specify a future time.
For information on NOTES.INI settings that may avoid clock skew, see the following articles in the Notes and Domino wiki: