Configuring Nomad server on Domino with Domino as OIDC provider

Before you begin

To set up Nomad server on Domino to authenticate through Domino as an OIDC provider, you must make sure that Domino is version 14.0.0 FP2 or later and Nomad server on Domino is version 1.0.13 or later.

Procedure

1. Designate a hostname for the OIDC provider; the hostname needs to be a real hostname that can be resolved in the local system's DNS server to an IP address. Ensure that this hostname is whitelisted if the 'HTTP whitelist' is enabled on the Domino server and that a trusted TLS certificate is obtained for the designated hostname. The procedures below will reference “<oidc_provider_site>” as the designated hostname.
2. From Domino Administrator
   1. refer to Creating an Internet site document to create a new or edit an existing Web Site document for the OIDC provider:

      1. On the Basic tab, add <oidc_provider_site> to Host names or addresses mapped to this site list if Use this web site to handle requests which cannot be mapped to any other web sites is set to No.
      2. On the Security tab, choose No for Anonymous under TLS Authentication section.
      3. Refer to Setting up session-based name-and-password authentication to configure session based login for the site.
   2. Update idpcat.nsf to idpcat.ntf template from Domino 14.0.0 FP2 or later and refer to the Configuring trusted OIDC providers to add a OIDC provider.
      1. In the Host names or addresses mapped to this site field, select the Domino servers or internet sites that will use the OIDC provider for authentication.

         Note that you should not add the OIDC provider’s web site to the list, as it cannot be configured to trust itself for authentication.

      2. Enter Base URL as https:///<oidc_provider_site>/auth/protocol/oidc.
      3. Select Trusted roots (if your root is not listed, you can add your root to certstore.nsf following steps in Adding trusted root certificates and then reopen idpcat.nsf database).
      4. Enter Client ID.
      5. Enter Client secret.
   3. Update domcfg.nsf to domcfg5.ntf template from Domino 14.0.0 FP2 or later, and use $$LoginUserForm or $$LoginUserFormPasskey as Target Form depending on whether passkey is configured.
   4. (Optional) Refer to Passkey authentication for passkey configuration.
3. Create an oidcinfo.json file in the Domino Data directory based on the example given below and replace the following:
   1. oidc_provider_site with the OIDC provider hostname.
   2. common_name and organization with the Domino server name and organization.
   3. client_id and client_secret with the client id and secret entered in step 2 > b > iv, v.
   4. nomad_server_site with the hostname where Nomad is deployed.

      {
          "provider_info": {
              "oidc_provider_site": <oidc_provider_site>,
              "primary_server": "CN=<common name>/O=<organization>",
              "domino_servers": ["<common name>/<organization>"]
          },
          "registered_clients": [
              {
                  "friendly_name": "Nomad server on Domino",
                  "client_id": "<client_id>",
                  "client_secret": "<client_secret>",
                  "redirect_uri": "https://<nomad_server_site>/login/callback",
                  "aud": "https://<nomad_server_site>",
                  "scope": "openid email Domino.user.all",
                  "token_endpoint_auth_method": "client_secret_basic",
                  "access_token_sec": 300,
                  "id_token_sec": 900,
                  "refresh_token_sec": 3600,
                  "max_session_sec": 57600,
                  "id_token_signed_response_alg": "ES256",
      	"access_token_signed_response_alg": "ES256"
              }
          ]
      }
      

4. Add an oidc section to the nomad-config.yml file located in the Domino data directory, using the below example as a template. Replace the following:
   1. oidc_provider_site with the OIDC provider hostname.
   2. client_id and client_secret with the client id and secret entered in step 2 > b > iv, v.
   3. nomad_server_site with the hostname where Nomad is deployed.

      oidc:
        issuer: "https://<oidc_provider_site>/auth/protocol/oidc"
        issuer_metadata_overrides:
          end_session_endpoint: "https://<oidc_provider_site>/names.nsf?logout"
      client:
        client_id: <client_id>
        client_secret: <client_secret>
        redirect_uris: ["https://<nomad_server_site>/login/callback"]

5. Restart the Domino server hosting the OIDC web site. If the HTTP task is not automatically loaded, load http task via load http. Then, start the Nomad task with load nomad when the HTTP task has loaded.

Troubleshooting

1. Verify that the OIDC provider is up and running by accessing https://<oidc_provider_site>/auth/protocol/oidc/.well-known/openid-configuration. The expected response should have a status code of 200 with a valid JSON object in the response body.

2. Get Error 403 on OIDC provider login page with message: HTTP Web Server: You are forbidden to perform this operation.

   The error is likely caused by configuring the OIDC provider web site to trust itself for authentication. Check the OIDC provider document in idpcat.nsf and make sure that the OIDC provider web site is not listed in the Host names or addresses mapped to this site field.

3. If you encounter the error Nomad: ERROR nomad: Failed to get provider metadata. OIDC is disabled., please ensure the following:

   1. The OIDC provider configuration is reachable at link: <issuer from oidc section from nomad-config.yml file>/.well-known/openid-configuration.
   2. The certificate used by OIDC provider is trusted by the operating system on which Domino as OIDC provider is running.