HTTP Bearer authentication replacements

HCL Domino 14.0 provides the following HTTP Bearer authentication replacements.

Select Enable Microsoft Workarounds in idpcat.nsf when configuring bearer authentication with Azure AD or ADFS 2019. These OIDC providers do not follow the standard as closely as most other providers, so special workarounds are needed in order to support then. This replaces the HTTP_BEARER_ENABLE_MS_WORKAROUNDS notes.ini from 12.0.2 FP1, which has been removed.

When using a provider that sends the user's email or name in a Claim that is not named "email," set the Custom Email Claim Name field to the name of that custom claim. This replaces the HTTP_CUSTOM_EMAIL_CLAIM_NAME notes.ini from 12.0.2, which has been removed.

By default, the Domino HTTP server expects to receive an "aud" (audience) Claim containing the base resource being accessed, such as https://dominoserver.example.com. If your provider sends a nonstandard value in the audience claim, such as Azure AD, configure one or more alternative audience values in the Alternate Audiences field. This replaces the HTTP_BEARER_ALTERNATE_AUD_COUNT and HTTP_BEARER_ALTERNATE_AUD_X notes.ini variables which have been removed.

Administrators who wish to restrict bearer authentication to specific applications by client_id sent in the "azp" Claim can configure one or more client_id values in the Allowed Client IDs field. This replaces the HTTP_BEARER_ALLOWED_ID_COUNT and HTTP_BEARER_ALLOWED_ID_X notes.ini variables from 12.0.2, which have been removed.

The DEBUG_HTTP_BEARER_AUTH notes.ini still exists and works as it did in 12.0.2.

For more information, see Configuring HTTP Bearer authentication using an OIDC provider.