Configuring Domino as an OIDC provider
To prepare a Domino server to be an OIDC identity provider, you must configure it in Domino's IdP Catalog application and in the Domino Directory's Internet Site document. You can then configure Domino as a clustered OIDC provider.
Information specific to this feature in Domino Early Access Drop 1 is also provided.
IdP Catalog configuration
- Open the IdP Catalog application (idpcat.nsf).
- Select the Domino OIDC Provider tab in the navigation, and then click the Add Domino OIDC Provider button in the header.
- Click Provider and select the internet site that will host the Domino OIDC provider.
- Click Primary Domino server and select the Domino server that will generate and manage keys for the OIDC provider.
- Click Domino servers and select all of the Domino servers that will host the Domino OIDC provider.
- Now select the Registered OAuth Clients tab in the navigator and click the Add OAuth Client button in the header.
- Populate information about the OAuth client according to that shown in the following document:
- Repeat this process until all of the OAuth clients have been registered.
Domino Directory - Internet Site document configuraton
- Open the Internet Site document for the site hosting the Domino OIDC provider.
- Select the same host name configured in idpcat.nsf from the Domino OIDC provider hostname drop-down list.
Clustered provider configuration
Domino 14.5 EAP Drop 1 does not support dynamic configuration updates, so configuring
clustered OIDC providers requires a few extra steps.
- Start by performing all of the preceding configuration steps on the Domino server configured as the primary OIDC provider.
- Restart that Domino server, which causes it to read the new configuration, generate signing and encryption keys, and save them in idpcat encrypted for the list of configured OIDC provider servers.
- Replicate the idpcat and pubnames changes to the secondary OIDC provider servers.
- Restart each of those secondary OIDC provider servers so they will read the configuration and keys and enable the OIDC provider functionality.
Things to know /current limitations
- Anonymous access must be disabled on the internet site serving the OIDC provider.
- The Authorization Code flow with PKCE is the only authentication flow recommended by current security best practices, and as such it is the only flow supported by the Domino OIDC provider.
- The logout endpoint and back-channel logout are not functional in 14.5 EAP Drop 1.
- Rotation of the OIDC provider's signing keys is not supported in 14.5 EAP Drop 1.
- Dynamic configuration updates are not supported in 14.5 EAP Drop 1; the Domino server will need to be restarted to read any configuration changes. In a clustered environment, the primary OIDC provider server should be restarted first, and then idpcat should be pushed from that server to the secondary OIDC provider servers before they are restarted.
- There are a handful of notes.ini variables that can be used to enable tracing to track down issues, including DEBUG_OIDC_PROVIDER, DEBUG_OIDCP_CLIENT_CACHE, and DEBUG_OIDC_CONFIG. Setting these to a value of 1 should only display errors, and increasing that value will trace increasingly verbose information to the server console.