Configuring Nomad Federated Login with Domino as OIDC provider

About this task

After setting up Nomad server on Domino with Domino as an OIDC provider, administrators may want to also enable the Nomad Federated Login flow to avoid users being prompted for their HCL Notes ID passwords when they set up the HCL Nomad for web browsers client.

To enable the Nomad Federated Login flow while using authentication through the Domino OIDC provider, it is necessary to configure the ID vault to trust the OIDC provider.

Prior to proceeding with the Nomad Federated Login flow, please ensure the completion of the previous task: Configuring Nomad server on Domino with Domino as OIDC provider.

Procedure

  1. Add $$TEST_JWTIDVAULT=1 in Domino Administrator's notes.ini file and restart Domino Administrator. Ensure that if $$TEST_JWTIDVAULT=1 is appended to the end of notes.ini file, an additional empty line should be created below it. This is necessary for Domino Administrator to properly read the last item in notes.ini file.
  2. From Domino Administrator:
    1. Click on Configuration > Web > Internet sites.

      Open the internet site document for the OIDC provider then go to Security tab and enable Bearer Token (JWT) from TLS Authentication section.

    2. Open the IdP Catalog (idpcat.nsf) and open the OIDC provider document.

      Edit Host names or addresses mapped to this site field and append bearer.vault-<Vault server hostname> to the end (replace <vault server hostname> as Fully qualified Internet host name field in the vault server document).

    3. Open the ID Vault database and click Configuration. Select the vault configuration document and input the value bearer.vault-<Vault server hostname> into the Bearer token (JWT) approved OIDC provider configurations field, matching it with the value entered in idpcat.nsf in step 2 > b.
    4. Open Domino Directory on any server in the Domino domain, click Configuration > Policies > Settings > Security Settings, open the Vault Setting document. In the vault setting document, go to the ID Vault tab and set Bearer token (JWT) to Yes under the Additional ID Download authentication mechanisms section.
      If the Bearer token (JWT) field is missing from the Additional ID Download authentication mechanisms section, check the following steps:
      1. $$TEST_JWTIDVAULT=1 has been added to notes.ini file as described in Procedure 1.
      2. Replace the design of names.nsf by selecting names.nsf, navigating to File > Application > Replace Design, choosing templates from the server and enabling the "Show advanced templates" check-box. Select the "Domino Directory (14.0 Server)" template (pubnames.ntf).
  3. Modify oidcinfo.json file in the Domino Data directory. In the instructions below, replace <vault server org> with the organization part of the vault server's name, as in CN=myserverCN/O=myserverOrg, <vault server org> should be myserverOrg. Also replace <vault name> with the Vault Name found in the Configuration section of your vault database.
    1. Replace aud value to <vault server org>-O=<vault name>.
    2. Append Domino.vault.<vault server org>-O=<vault name> to the end scope.
      Example:
      "aud": "myserverOrg-O=vault1",
"scope": "openid email Domino.user.all Domino.vault.myserverOrg-O=vault1"
  4. Modify the nomad-config.yml file in the Domino Data directory (replace <vault server org> and <vault name> to your own value).
    Add oidc > federated_login > vault_scope and oidc > federated_login > vault_audas example below:
    oidc:
  # other sections
  federated_login:
    vault_scope: “Domino.vault.<vault server org>-O=<vault name>”
    vault_aud: "<vault server org>-O=<vault name>"
  5. Restart the Domino server hosting the OIDC web site. If the HTTP task is not automatically loaded, load http task via load http. Then start the Nomad task with load nomad when the HTTP task has loaded.