Configuring Nomad server on Domino with OIDC login and Nomad federated login

When the Nomad server on Domino is configured with OIDC login and Nomad federated login, Nomad users can authenticate through Domino as an OIDC provider and then set up Nomad clients without being prompted for their HCL Notes ID and password.

Procedure

  1. Configure Domino as an OIDC provider and register the Nomad server as an OAuth client by following the steps.
    1. In Register a new OAuth client, complete the following steps:
      • In step 7, enter https://<nomad_server_site>/login/callback in the Redirect URI(s) field.
      • In step 10, enter https://<nomad_server_site>/logout/callback in the Post Logout Redirect URI(s) field.
      • To enable back channel logout, in step 11, set the Back Channel Logout URI field to the same value as the Post Logout Redirect URI(s) field.

      In those steps, replace <nomad_server_site> with the hostname, including the port if it is not the default HTTPS (443) port where the Nomad server is deployed on Domino.

    2. In Configuring Domino as an OIDC provider under the "Preparing the OIDC provider's Internet Site document" section, in step 5 ensure that the Bearer Token (JWT) is checked in the "TLS Authentication" settings on the Security tab.
  2. Enable Nomad federated login with OIDC by following the steps in the following topics:
    1. Configuring the ID vault for federated login with OIDC
    2. Configuring the OIDC provider for Web federated login with OIDC
    3. Configuring users for Web federated login with OIDC
  3. Configure the Nomad server to authenticate with the Domino OIDC provider.

    Add the "oidc" section in the "nomad-config.yml" file located in the Domino data directory. Use the following example as a template.

    oidc:
  # issuer contains the base URI of the OIDC provider. 
  # issuer names for Domino OIDC Providers end with /auth/protocol/oidc
  issuer: "https://provider.example.com/auth/protocol/oidc" 
  client: 
    # Client ID of the registered OAuth client
    client_id: "nomad_client_id"  
    # Client secret of Nomad's registered OAuth client
    client_secret: "do_not_use_this_terrible_client_secret"
    # The redirect URIs should contain an array with two URIs as strings.
    # The   first URI is the value of the “Redirect URI(s)” field in the registered OAuth client created in previous steps that ends with “/login/callback”.
    # The second URI is the “Post logout redirect URI(s)” field of the same document that ends with “/logout/callback”.
    # If port 443 is not used, then the port must be specified explicitly as below. 
    redirect_uris: ["https://nomad.example.com:9443/login/callback", "https://nomad.example.com:9443/logout/callback"]
  federated_login:
    # The vault_scope must contain the scope starting with "Domino.vault." from the "Scope(s) field in the registered OAuth client document
    # See https://help.hcl-software.com/domino/14.5.0/admin/secu_oidc_provider_fed_logiin_oidc.html for details
    # A vault server with a name of MyServer/MyOrg hosting a vault named O=MyVault would have the following scope 
    vault_scope: "Domino.vault.MyOrg-O=MyVault"
    # The vault_aud contains the vault_scope without the leading "Domino.vault.". This value must also be one of the allowed Audience(s) in the registered OAuth client document
    # See https://help.hcl-software.com/domino/14.5.0/admin/secu_oidc_provider_fed_logiin_oidc.html for details
    vault_aud: "MyOrg-O=MyVault"
  # To enable backchannel logout
  backchannel_logout:
    # false by default
    enabled: true
    For more information, see Configuration options for the Nomad server on Domino in the Administrating HCL Nomad documentation.