Enabling Notes federated login
Enable Notes federated login to allow Notes clients users to start Notes and perform secure operations without being prompted for a Notes ID password.
Before you begin
- If you are also using Web federated login, enable it and test that it works.
- Before you enable Notes federated login for all Notes client users, enable it for a test user and test that Notes federated login works for that user.
- In any security policies that are applied to Notes® users whom you plan to include in Notes® federated login, disable synchronizing the Notes® client password with the Internet password.
- See the table of client configurations that are incompatible with federated login in the topic Using Security Assertion Markup Language (SAML) to configure federated-identity authentication.
- Complete all the steps in the section Configuring ID vault servers for Notes or Web federated SAML login.
About this task
MakeNFLMandatory=1
Note: This setting isn't enabled by default.
Procedure
- In the Domino® Directory, open the existing Security Settings policy for users of your organization’s ID vault.
- On the ID Vault tab, make sure there is an assigned vault.
- Select the tab.
- Select Yes for Enable Notes federated login with SAML IdP.
-
When the policy is initially being deployed, under Additional settings for
Federated Login (Notes or Web), select Yes for Allow password
authentication with the ID vault.
Tip: After a user has been verified to be working with federated login, it is a recommended security improvement to change Allow password authentication with the ID vault to No. When password authentication with the ID vault is not allowed, the user is required to authenticate to the vault using federated login in order to download the user's id for either Notes or Web use. Because this policy setting controls both Notes and Web behavior with the ID vault, change the setting to No only if federated login should be used exclusively.
- Optional: Create custom messages for users to notify them when federated login is either enabled or disabled.
- Select the Keys and Certificates tab.
- To add the Notes® certifier to the policy, in the Administrative Trust Defaults section, click Update Links.
- Choose Selected supported and click OK.
-
Click the Notes Certifiers tab, select the certificates which signed the
IDs of the Notes users, and click OK.
Note: If the IDs are signed by an Organization Unit (OU) certificate, include all certificates in the hierarchy, including the Organizational certificate.
- Click the Internet Cross Certificates tab, select the cross certificate from the Notes root certifier to the certificate exported from ADFS and click OK.
- Click the Internet Certificates tab, select the TLS certificate exported from ADFS and click OK.
-
Verify that a chain of at least three certificates is shown (more if there are organization
unit certificates): the Notes certifier at the top, the internet cross certificate in the middle,
and the internet certificate at the bottom.
For example:
- Optional: Enter a formula under Machine specific formula to apply the policy to specific computers for clients who have multiple computers.
- Save and close the security policy.
-
From the Domino® Administrator, open the ID vault
application (idvault.nsf), which by default is stored in the
IBM_ID_VAULT directory. Complete the following steps:
- From the Configuration view, open the vault document for the vault that will be configured for SAML authentication.
- In the field Notes federated login approved IdP configurations, enter the host name from the Host names or addresses mapped to this site field of the ID vault server IdP configuration document, for example vault.domino1.us.renovations.com.
- Click Save & Close.