Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Domino Federarted Web Login / SAML with F5 and ADFS 3.0

Daniel Nashed  25 April 2016 17:14:43

In the last couple of weeks I spent a lot of time with customer Web Federated Login workshops and implementations.
Not sure what happened but suddenly everyone is interested in SAML. It looks like more and more customers are looking into that because they have already implemented SSO for other applications like O365.

In one case a customer had an existing F5 configuration. In one other case we had a customer with Windows 2012 R2 and ADFS 3.0.

Both configurations are not officially supported yet but we got it to work! Specially the F5 configuration was tricky. But in general both are just another SAML 2.0 implementation.
We officially asked if those two configurations can be officially supported. It looks like it is more testing and documentation effort than any code change that is needed.
But it is not yet an officially supported configuration. Implementing ADFS 3.0 is quite similar than ADFS 2.0.

Win2012 R2 ADFS 3.0

ADFS 3.0 in fact is a nicer implementation and does not need any IIS components. Also the SSO portal application is now implemented in a way that the UI can be completely customized. You can add you logo, change the CSS or could even build your complete own page.

Also the installation is easier. ADFS 3.0 comes with Win2012 R2 and just needs to be enabled as a separate role. In contrast earlier versions shipped with SAML 1.1 support and you and to separately download and install SAML 2.0.

The configuration is very similar but you cannot use the cookbooks 1:1. Some configuration details are now set via PowerShell commands.
For example if you need to disable the extended protection when working with Chrome.

Domino SAML Implementation

In two customer situations we ran into an odd issue. When initiating the SAML login from the SSO portal like ADFS (with ADFS 3.0 the portal looks prettier and more customers might directly use the portal) redirecting to the Domino HTTP server caused a strange behavior.
The URL invoked should have been the default server URL but there have been som random chars at the end of the URL. Tracing turned out that this was a day one issue with Domino Web Federated Login (WFL) and it was never thought of that the first request is the login request with a redirect from the Identity provider (IdP) in our case ADFS 3.0 or the F5 applicance.

Even Domino uses a IdP Initiated model the first request was always initiated by Domino.

Here is the flow that Domino uses.

- Browser hits the Domino Server for a resource that needs authentication

- User ist redirected to the IdP for authentication --> the URL contains ?loginToRp to tell the ADFS server where to return to after authentication. This is a ADFS specific parameter which is for example not understood by F5.
  Example: https://nsh-win-ad.ad.nashcom.loc/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://domino.nashcom.loc/names.nsf
  At the same time the server sets an undocumented cookie "DOMRELAYSTATE" which contains some data in binary format (base64 encoded) which contains the location to redirect to after login.

- User is authenticated at the IdP. Either via AD name and password or with a Kerberos ticket (Integrated Windows Authentication -- IWA) if configured and the user and workstation are in the current AD.


- Browser redirects back to Domino with the SAML post request
 Example:
https://domino.nashcom.loc/names.nsf?SAMLLogin

- After verifying the SAML data, the user is authenticated and a LTPA cookie is generated


- At the same time the server reads the "DOMRELAYSTATE" cookie, removes it and redirects the user to his original location


Redirection Issue

In our problem case the user had no "DOMRELAYSTATE" cookie which caused the server to add some garbage to the URL.
We got a hotfix for the issue which will hopefully make it into one of the next IFs. The SPR for this defect is SPR # MKINA8XN74.

Summary

So in general if you want to implement SAML right now I would use ADFS 3.0 and Windows 2012 R2 if you have the choice - even it is not yet supported by Domino.
But ADFS 3.0 is the much better product which is better supported by Microsoft. And it is a much cleaner implementation. No dependency on IIS as well!




Comments

1Christian Henseler  25.04.2016 18:04:12  Domino Federarted Web Login / SAML with F5 and ADFS 3.0

thank you very much for sharing this :-)

2Jacques PINEAU  06.05.2016 9:23:11  Domino Federarted Web Login / SAML with F5 and ADFS 3.0

Hi Daniel,

For one of my customers, I have to implement SAML with an existing F5 configuration. Do you have more details about this? Does IBM helped you in this particular case?

Many Thanks

3Daniel Nashed  10.05.2016 16:53:47  Domino Federarted Web Login / SAML with F5 and ADFS 3.0

@Jacques, sent you some information about the F5 configuration by mail.

4Bernd Ries  08.06.2016 8:24:32  Domino Federarted Web Login / SAML with F5 and ADFS 3.0

Hi Daniel,

I'm interested in your F5 configuration as well.

Any chance you can send these to me?

Thanks

Bernd

5Odilo Higa  14.06.2016 22:56:05  Domino Federarted Web Login / SAML with F5 and ADFS 3.0

Dear Daniel!

Thanks a lot for sharing this post.

And now, I am facing a issue when I try to do the cross certificate.

-> "A cross certificate will not be made due to key usage restrictions in the input certificate"

I use self-signed certificate for ADFS url and the webmail.

I have read many documents in the internet but during the troubleshooting I do not get success.

We have already reinstalled the ADFS server from zero but it stills gets the same error. We installed it using default configuration.

About your comment -> The configuration is very similar but you cannot use the cookbooks 1:1., could you please send me more details how you got to configure ADFS on Windows 2012 R2 ?

Enviroment:

-> Domino 9.0.1 64-bit with Fix Pack 6 running on SuSe Linux 12 64-bit;

-> ADFS running on Windows Server 2012 R2.

Thanks in advance.

Best regards,

OdiLo Higa

ohiga@masterdom.inf.br

6Alon Kedmi  17.06.2016 0:50:08  Domino Federarted Web Login / SAML with F5 and ADFS 3.0

Thanks Danial for all the information.

Is there any way using Domino R9.0.1 to establish Web authentication using Google credentials ?

Thanks,

Alon

7Hubert Wagner  31.10.2016 0:42:05  Domino Federarted Web Login / SAML with F5 and ADFS 3.0

@Alon I'm currently trying to configure Domino v9.0.1 + FP7 (64 bit) as SP and Google Apps (now called G Suite) as IdP. Google Support confirmed that they don't support SP initiated logons. When navigating to my Domino web site without being logged into Google it redirects to the Googel IdP url and shows following error page:

400. That's an error. "Error parsing the request. No SAML message present in rquest. That's all we know.

IdP initiated logon works but I intermittently do experience the above-mentioned redirect issue.

I use following in the idpcat config doc:

Protocol version: SAML 2.0

State: Enabled

Federation product: TFIM

Service provider ID: https://<YOURDOMINOURL>

Artifact resolution service URL:

Single sign-on service URL: https://accounts.google.com/o/saml2/idp?idpid=<YOURIDPID>

Signing X.509 certificate: (make sure to remove all end-of-line characters)

Encryption X.509 certificate:

Protocol support enumeration: urn:oasis:names:tc:SAML:2.0:protocol

Does anyone know if SPR # MKINA8XN74 is in FP7

Thanks,

Hubert

8Christian Dencker  21.02.2017 21:17:31  Domino Federarted Web Login / SAML with F5 and ADFS 3.0

We have the same problem but with NetScaler and ADFS 2.0. It looks like the fix Will be in Domino 9.0.1 FP8.

9Jason Chen  24.10.2017 21:21:08  Domino Federarted Web Login / SAML with F5 and ADFS 3.0

Thanks you for this helpful post. I am planning to Integrate Domino with ADFS using SAML and would like to import AD DN into Domino person record, according to IBM, I can only use the ShortName field but the ShortName field is used for other purpose, any other field I can use to import the AD DN?

Thanks

10Fendy  27.10.2017 9:27:44  Domino Federarted Web Login / SAML with F5 and ADFS 3.0

Hi Daniel,

I'm interested in your SAML configuration on Domino and F5.

Any chance you can send these to me?

And if I'm not having any FP for my Domino 9.0.1, is the SAML Still working or not?

Thank You.

11Maksim  22.03.2018 8:11:47  Domino Federarted Web Login / SAML with F5 and ADFS 3.0

Hi Daniel,

I'm interested in your F5 configuration as well.

Can you send them to me?

Thank you.

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]