Troubleshooting
This topic describes troubleshooting tips for common SAML setup issues.
Identity provider's form authentication not displayed when logging in to the Traveler home page
If you do not see the expected form login from the Identity provider when testing the
Traveler endpoint with a browser, check the following:
- If the notes.ini NTS_AUTO_CONFIG is set to false.
It defaults to True so you must set it to false on each participating Traveler server.
- Check the internet site document for the Traveler endpoint for a session
override rule for /traveler.
If there is a rule, delete it and then restart the Domino HTTP server.
Unable to configure a client to Traveler
- Make sure that you can login to the Traveler home page from the mobile browser.
- Make sure you are using a supported client. The SAML support is supported only with the HCL Verse clients. For more information, see HCL Verse client setup for SAML authentication.
- If running HCL Domino 12.0.2 or higher, ensure the notes.ini setting DOMINO_RELAY_COOKIE_SAMESITE=3 is set on each participating Traveler server. If not set, the symptom is that the HCL Verse mobile client repeatedly prompts for the SAML login despite the user providing the correct credentials.
- Ensure that the Traveler endpoint has a valid SSL certificate. The HCL Verse clients do not work with a self-signed certificate.
- If you are using ADFS as the IDP and it is configured to use Windows Integrated Authentication (WIA), the HCL Verse clients cannot support a NTLM prompt. A forms based login page needs to be setup by your ADFS Administrator. For more information, see the Microsoft documentation for configuring intranet forms-based authentication for devices that do not support WIA.