Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

SAML Support in Domino 10

Daniel Nashed  15 July 2018 09:08:35
SAML support in Domino is limited to ADFS 2.0 / 3.0 and TFIM - Tivoli Federated Identity Manager in Domino 9.0.1.
We got other IdPs working like F5 by emulating some behavior that is ADFS implementation specific. But this wasn't a fully supported configuration.

With Domino 10 the plan is to have generic SAML 2.0 support and to be compatible with different type of SAML 2.0 implementations.
IBM/HCL cannot test all combinations before Domino 10 ships. But the plan is that if the provider is fully SAML 2.0 compliant it should work and you get support for it.

I have already looked into the new SAML support Domino 10 Beta 1 and have tested to configure it with Jumpcloud (https://jumpcloud.com/).
Jumpcloud is providing directory/authentication as a service. Some weeks ago I got a partner request to help implementing Domino with Jumpcloud.
We ran into issues because of some back-end limitations in the implementation in Domino 9.

With Domino 10 it works like a charm even without any extra tweaking.
In fact there are changes in the configuration which not only makes it more flexible to configure it for other SAML 2.0 compliant IdPs but also the configuration has been simplified.

The new configuration option that you can chose instead of "ADFS" is "AuthnRequest SAML 2.0 compatible".

Some details might still change but what I see so far really provides us with full SAML 2.0 support with a flexible and easy to use configuration.
When I first looked into SAML support when it was released with the limited available documentation, it was really difficult to setup.
With the new version I was able to configure SAML with Domino against a IdP like Jumpcloud in a couple of minutes.

Actually if you want to play around with SAML with the upcoming Domino 10 public beta , Jumpcloud is a great option.
You can get a free account for up to 10 users and you don't need to setup your own ADFS server.

-- Daniel

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]