Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

SAML Support in Domino 10

Daniel Nashed  15 July 2018 09:08:35
SAML support in Domino is limited to ADFS 2.0 / 3.0 and TFIM - Tivoli Federated Identity Manager in Domino 9.0.1.
We got other IdPs working like F5 by emulating some behavior that is ADFS implementation specific. But this wasn't a fully supported configuration.

With Domino 10 the plan is to have generic SAML 2.0 support and to be compatible with different type of SAML 2.0 implementations.
IBM/HCL cannot test all combinations before Domino 10 ships. But the plan is that if the provider is fully SAML 2.0 compliant it should work and you get support for it.

I have already looked into the new SAML support Domino 10 Beta 1 and have tested to configure it with Jumpcloud (https://jumpcloud.com/).
Jumpcloud is providing directory/authentication as a service. Some weeks ago I got a partner request to help implementing Domino with Jumpcloud.
We ran into issues because of some back-end limitations in the implementation in Domino 9.

With Domino 10 it works like a charm even without any extra tweaking.
In fact there are changes in the configuration which not only makes it more flexible to configure it for other SAML 2.0 compliant IdPs but also the configuration has been simplified.

The new configuration option that you can chose instead of "ADFS" is "AuthnRequest SAML 2.0 compatible".

Some details might still change but what I see so far really provides us with full SAML 2.0 support with a flexible and easy to use configuration.
When I first looked into SAML support when it was released with the limited available documentation, it was really difficult to setup.
With the new version I was able to configure SAML with Domino against a IdP like Jumpcloud in a couple of minutes.

Actually if you want to play around with SAML with the upcoming Domino 10 public beta , Jumpcloud is a great option.
You can get a free account for up to 10 users and you don't need to setup your own ADFS server.

-- Daniel

Comments

1Don  16.07.2018 12:32:27  SAML Support in Domino 10

This would be very good news, since we are using Okta and FP9 partially broke the SAML.

2Daniel Nashed  16.07.2018 15:27:33  SAML Support in Domino 10

Hmmm I see Okta has a 30-days free trial.

But maybe you can test it once Beta 2 is available and send me feedback?

If it doesn't work I can help you to sort it out :-)

3mathew murphy  16.07.2018 16:58:21  SAML Support in Domino 10

There seems to be a bug in the SAML implementation, such that if the user name matches a local address book entry, that takes preference over directory assistance -- even if the e-mail address and Notes ID don't match. I've not had much luck getting it looked at by development, though.

4Daniel Nashed  17.07.2018 14:34:23  SAML Support in Domino 10

Update: Mathew's issue sounds like a very specific issue.

We emailed offline and it does not look like a general issue.

Sounds like a very specific issue in his configuration.

-- Daniel

5Bernd Ries  21.07.2018 9:56:49  SAML Support in Domino 10

I can confirm that FP9 broke the OKTA SSO for us, i believe a bug with setting the RelayState, reverting back to FP8 fixed the problem.

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]