Configuring Verse with OIDC login and Web federated login

Configuring Verse with OIDC and Web federated login with OIDC allows Verse web users to authenticate and then perform secure mail operations such as signing and decrypting messages without being prompted for a Notes ID password.

Procedure

  1. Configure Web login for your Verse internet site by following the steps in Configuring Web login with OIDC for web users.
    Note: If you plan on configuring logout capabilities for Verse to also log you out of your identity provider, be sure to create a Registered OAuth Client and Trusted OIDC Provider configuration specifically for Verse's use only. Do not reuse another configuration for multiple sites.
  2. Configure Web federated login for your Verse internet site by following the steps in Enabling Web federated login with OIDC.
  3. To configure log out:
    1. Open the IdP Catalog application (idpcat.nsf).
    2. Open the Registered OAuth Client configuration for the Verse client you made previously.
    3. Set the Post logout redirect URIs field to the location you wish the browser to be redirected after a successful logout.
      Note: This could be a custom landing page that is hosted for your users, or simply redirect back to the verse server to have them be prompted to log in again.
    4. Set the back channel logout URI to https://<verse site hostname>/auth/protocol/oidc
    5. By default, Domino OIDC providers will only trust back-channel logout requests to sites that are using a TLS certificate signed by one of the trusted roots in the cacert.pem file in the data directory. To trust a self-signed or private certificate or only trust a single certificate for back-channel logout, click the arrow next to the Trusted roots field to select a trusted root that has been configured in the Certificate Store application (certstore.nsf).
    6. Save and close the document.
    7. Replicate the idpcat.nsf database to any Domino servers hosting your OIDC provider and Verse sites.
    8. Restart those same Domino servers so that the new configuration is read.
  4. On the Domino servers hosting your Verse internet site:
    1. Set the following notes.ini:
      INOTES_WA_LOGOUTREDIRECT=https://<oidc provider hostname>/auth/protocol/oidc/logout?client_id=<verse oidc client id>&post_logout_redirect_uri=https%3A%2F%2F<verse hostname>%2Fverse
      Note: Take care that the query argument value for post_logout_redirect_uri in the url above is properly URL encoded.
    2. Restart the http task on the Domino server or servers hosting your Verse internet site.