Configuring the HCL Traveler server for SAML authentication
SAML Authentication setup for the HCL Verse mobile clients follows the steps laid out in the Domino Administration guide for basic SAML authentication for Web servers.
Traveler server setup
The HCL Traveler server(s) should be configured prior to enabling SAML. This allows validation that HCL Traveler is functioning prior to changing the security for SAML authentication.
Domino Multi-server session-based authentication (Single Sign On) should be configured and working properly among the participating servers in the Traveler HA pool before enabling SAML.
Preparing for SAML authentication
- The Identity Provider (IdP) Catalog needs to be replicated to any HCL Traveler server participating in the SAML federated authentication.
- ID Vault setup is not required as part of enabling SAML support for the HCL Verse mobile clients. If ID Vault setup is needed for other web clients, make sure that the vault security policy setting document is enabled to Allow password authentication to the ID vault. This allows HCL Verse mobile clients to continue using password authentication to access the notes id file when working with encrypted mail.
- Mobile clients cannot participate in Windows Integrated Authentication (WIA).
- Traveler server testing - after making the changes in this section, validate that you can still access the Traveler endpoint.
Configuring basic SAML authentication for Web servers
Read the following notes, then complete the steps to enable basic SAML authentication for Web servers as outlined in the HCL Domino Administration guide:
Traveler-specific notes for basic SAML setup:
- Creating a Web Server IdP configuration
document :
- For hostnames, enter the HCL Traveler server hostname(s) and IP addresses, as well as the external hostname and IP address (if it is different in your environment)..
- For the Service provider ID, it is suggested to use the HCL Traveler external URL value (/traveler is not required). Example: https://traveler.us.renovations.com.
- Enabling SAML authentication
- For HCL Traveler, follow the steps associated with using an internet site document.
- If running HCL Domino 12.0.2 or higher, set the HCL Domino notes.ini DOMINO_RELAY_COOKIE_SAMESITE=3 on each participating Traveler server. The value 3 ensures that the SameSite cookie attribute for the DOMRELAYSTATE cookie is set to None. The value None means cookies are sent regardless of the web site from which the cookies originate. Requires that HTTPS be enabled. Starting with Domino 12.0.2, the default samesite attribute for the DOMRELAYSTATE cookie is Strict. The Strict (1) or LAX (2) SameSite cookie attribute setting for this cookie prevents the HCL Verse mobile clients from completing the SAML authentication process.
- If Traveler is configured for HA, Web SSO is required.
- To enhance the HCL Verse mobile end user experience, it is recommended to extend the default of 2 hours for the SAML single server session expiration field. If using a WEB SSO configuration document, the token expiration time should be the same as the SAML single server session expiration field. For more information, see Authentication timeout settings.
- To allow clients that use the Exchange ActiveSync protocol (like the iOS
Mail app) to continue to use Basic authentication, edit the Override
Session Authentication rule and set the Incoming URL pattern to
"/traveler/Microsoft-Server-ActiveSync*". If you do not intend to
support the activesync clients, remove the existing Override Session
Authentication rules for Traveler. Additionally, turn off (set to false)
the notes.ini NTS_AUTO_CONFIG. Otherwise, Traveler will attempt to
re-add session override rules. Ensure that these changes to the
names.nsf are replicated to all partipating Traveler servers and then
restart Domino HTTP.Note: It is recommended that you keep any substitution rules.
- Testing the basic SAML authentication
for Traveler:
- For testing the resulting setup, use a mobile device browser to access
the HCL Traveler endpoint. You should see the form login from the
identity provider instead of a basic authentication prompt. Login as a
user using the user’s credentials from the identity provider (not the
Domino http password) and verify the HCL Traveler server home page
displays.Note: For ADFS, a desktop browser may give different results than a mobile browser if Windows Integrated Authentication is enabled.
- For testing the resulting setup, use a mobile device browser to access
the HCL Traveler endpoint. You should see the form login from the
identity provider instead of a basic authentication prompt. Login as a
user using the user’s credentials from the identity provider (not the
Domino http password) and verify the HCL Traveler server home page
displays.