Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

SAML Support in Domino 10

Daniel Nashed  15 July 2018 09:08:35
SAML support in Domino is limited to ADFS 2.0 / 3.0 and TFIM - Tivoli Federated Identity Manager in Domino 9.0.1.
We got other IdPs working like F5 by emulating some behavior that is ADFS implementation specific. But this wasn't a fully supported configuration.

With Domino 10 the plan is to have generic SAML 2.0 support and to be compatible with different type of SAML 2.0 implementations.
IBM/HCL cannot test all combinations before Domino 10 ships. But the plan is that if the provider is fully SAML 2.0 compliant it should work and you get support for it.

I have already looked into the new SAML support Domino 10 Beta 1 and have tested to configure it with Jumpcloud (https://jumpcloud.com/).
Jumpcloud is providing directory/authentication as a service. Some weeks ago I got a partner request to help implementing Domino with Jumpcloud.
We ran into issues because of some back-end limitations in the implementation in Domino 9.

With Domino 10 it works like a charm even without any extra tweaking.
In fact there are changes in the configuration which not only makes it more flexible to configure it for other SAML 2.0 compliant IdPs but also the configuration has been simplified.

The new configuration option that you can chose instead of "ADFS" is "AuthnRequest SAML 2.0 compatible".

Some details might still change but what I see so far really provides us with full SAML 2.0 support with a flexible and easy to use configuration.
When I first looked into SAML support when it was released with the limited available documentation, it was really difficult to setup.
With the new version I was able to configure SAML with Domino against a IdP like Jumpcloud in a couple of minutes.

Actually if you want to play around with SAML with the upcoming Domino 10 public beta , Jumpcloud is a great option.
You can get a free account for up to 10 users and you don't need to setup your own ADFS server.

-- Daniel

Comments

1Don  16.07.2018 12:32:27  SAML Support in Domino 10

This would be very good news, since we are using Okta and FP9 partially broke the SAML.

2Daniel Nashed  16.07.2018 15:27:33  SAML Support in Domino 10

Hmmm I see Okta has a 30-days free trial.

But maybe you can test it once Beta 2 is available and send me feedback?

If it doesn't work I can help you to sort it out :-)

3mathew murphy  16.07.2018 16:58:21  SAML Support in Domino 10

There seems to be a bug in the SAML implementation, such that if the user name matches a local address book entry, that takes preference over directory assistance -- even if the e-mail address and Notes ID don't match. I've not had much luck getting it looked at by development, though.

4Daniel Nashed  17.07.2018 14:34:23  SAML Support in Domino 10

Update: Mathew's issue sounds like a very specific issue.

We emailed offline and it does not look like a general issue.

Sounds like a very specific issue in his configuration.

-- Daniel

5Bernd Ries  21.07.2018 9:56:49  SAML Support in Domino 10

I can confirm that FP9 broke the OKTA SSO for us, i believe a bug with setting the RelayState, reverting back to FP8 fixed the problem.

6Don  12.02.2019 14:56:41  SAML Support in Domino 10

We've updated our own server to Domino 10.0.1 and most of the SAML settings work...

We've changed to "AuthnRequest SAML 2.0 compatible" but when we go to our own url then Domino does not redirect to the SAML login screen automatically.

I've entered the "Single sign-on service URL" and the "Artifact resolution service URL" but somehow when I login or logout directly Domino does not redirect.

Is there anything else that we should change now that we are on Domino 10?

(btw: when starting from Okta or go to the redirect url and then login works perfectly allready)

7Don  12.02.2019 20:59:21  SAML Support in Domino 10

Finally got it to work. Needed to modify the metadata.xml a little but eveything is working now!

Login / logout redirects to Okta perfectly!

Will probably check out ADFS also somewhere in the coming months. If anybody had some good documentation on this that would be nice... ;-)

8Kristian Aaskilde  19.02.2019 15:38:07  SAML Support in Domino 10

Don, what changes did you make to the metadata.xml file?

I have upgraded our Domino server to 10.0.1, replaced design on the idpcat.nsf, then changed it to use "AuthnRequest SAML 2.0 compatible".

However I do not see the Artifact resolution service URL in the metadata.xml file from OKTA so I have left that blank.

I can login via OKTA with one of our test users, but when it then hits Domino I get asked to login again and it doesn't work with the test user, but I can use my own user to get access.

I see some outputs in the Domino console, but I haven't made anything out of it yet.

"SECAuthnRequestSignData> SEC_CM_GETMeCerts error The cryptographic key was not found

[0624:000A-0CDC] 19-02-2019 09:44:45,19 SECAuthnRequestSignData> Exiting : 1731

[0624:000A-0CDC] ProduceSaml2AuthnReply: Unable to sign AuthnRequest The cryptographic key was not found"

Any assistance would be much appreciated.

Cheers

Kristian

9Don  24.04.2019 14:22:30  SAML Support in Domino 10

Hi Kristian,

I'm sorry but I did not see your qeustion earlier but we have full documentation on how to get this working with Okta which I'm happy to provide.

Send an e-mail to info@changetocomm.nl if you want

10Don  24.04.2019 14:35:12  SAML Support in Domino 10

btw: the change to the metadata.xml: remove all spaces!

Okta generates this with line spaces so manually remove this in Notepad ++ first

11Don  10.05.2019 17:20:12  SAML Support in Domino 10

We're interested in trying out different options because we want to connect using a local supplier also but cannot get it to work.

@Daniel: do you have the configuration that works for you in Jumpcloud for us? Maybe we can try this out and see if this give us hints on the setup that is working.

12David Hablewitz  14.06.2019 20:23:56  SAML Support in Domino 10

Any word on if FP10 fixed the issues mentioned here that FP9 broke it? I am looking at setting up Domino 9.0.1 FP10 HF66 with Okta.

13Daniel Nashed  14.06.2019 22:23:14  SAML Support in Domino 10

@David, you really have to move to Domino 10.0.1 FP2!

Domino 9.0.1 has only support for ADFS and Tivoli!

Domino 10.x supports any SAML 2.0 provider and has enhancements to the confiuration as well to make installation easier.

But for anything that is not ADFS Domino 10 is acutally the only way to get it implemented without tweaks.

-- Daniel

14Lily  27.08.2019 5:43:52  SAML Support in Domino 10

Hi @Daniel,

Do you have any steps to configure Domino 10.0.1 and other IDPs using SAML 2.0 authentication? From the Domino user guide, I found it is difficult for me to configure, I hope you can give me some advice, I hope you have some steps to configure.

Thanks,

Lily

15Bernd Gewehr  11.09.2019 9:54:25  SAML Support in Domino 10

@Daniel, did you successfully test SAML with Domino V10 with AzureAD?

16Greg Walrath  04.11.2019 20:00:01  SAML Support in Domino 10

@Bernd - I have implemented Domino 10.0.1.2 in test and production with Azure AD. Mostly, it's working.

In production I'm in a weird situation. I've been using two load-balanced web servers for years for our Domino intranet. With all the setup done correctly, SAML authentication works great against one server, but the other. In the other server I see the error that Kristian noted above with SEC_CM_GETMeCerts error.

I have ticket open with HCL now trying to get this resolved.

17Ian  16.01.2020 16:39:05  SAML Support in Domino 10

@Daniel

We are looking to implement SSO for IBM Domino (both Client & Web), but using Azure AD.

Do you have any guides to follow on this or anything we need to be wary of during the setup?

Thanks

18John  08.04.2020 21:53:58  SAML Support in Domino 10

We have Domino 10.1 FP2 and are setting up SAML using third party idp. How are you handling name mapping between the idp (via the assertion) and Notes/Domino? Is it through Directory Assistance or other method? Or do you require the idp to use a certain attribute name for the user id?

Thanks

19Daniel Nashed  09.04.2020 11:00:53  SAML Support in Domino 10

@John, you need a common attribute. Currently only email is supported.

But others work as long they are unique in $users.

In SAML the NameID is mapped to the email address.

You have to have the email address in your IdP's directory and the IdP takes it from there.

-- Daniel

20John  09.04.2020 14:25:13  SAML Support in Domino 10

@Daniel, thanks for your response. The problem is that we are not using email as the unique identifier. It is a different value. And I cannot put that value in the user's email field in their user document in the NAB, because the email address is used in apps.

The situation you are describing sounds like the active directory setup, which this technically is not that. To your knowledge, is it possible for the IdP to send the unique identifier in a prescribed "field" in the assertion and for SAML on the Notes side to either inherently recognize and map to a value, say, in the user name field of the user doc or for us to map between the two?

Hopefully I am making sense with our requirements.

21Daniel Nashed  09.04.2020 23:46:57  SAML Support in Domino 10

@John, as I described. The only officially supported configuration is NameID to email address.

We got it working with another values that are unique in the $users view. But this is still not officially supported.

If you need to get this supported you have to contact HCL. I personally don't see an issue, but I cannot tell you that it is supported.

I see a support and not a technical issue. You could open a ticket and ask officially. Let me know how that goes. You can also contact me by email.

-- Daniel

22John  17.04.2020 16:57:09  SAML Support in Domino 10

@Daniel, we ended up getting it to work by using the InternetAddress field to store the unique identifier. I was trying to avoid that so that I did not have to remove the email value, but as we don't use Notes mail, it should not be a problem. We only need the MailAddress (Forwarding Address) to programmatically send emails.

What I did find was that SAML authentication first checks for InternetAddress. If the field is not empty, that is the only place it checks. If the field is empty, it will check the FullName (User name) field.

Someday down the line, it would be nice to figure out how to set up mapping or to do what you did, "We got it working with another values that are unique in the $users view." But for now we can make the out-of-the-box way work for us. Thanks again for your feedback.

23Paul  14.05.2020 16:56:22  SAML Support in Domino 10

Hi

We have Version 10 of Domino setting up an Azure Active Directory acting as the SAML token for Single Sign on.

We have managed to get this working for web based applications, however when we try to log on to the Notes client, we get the following error message after the message download ID from ID Vault:

'Network error: the message content was unexpected or the message has been corrupted'

We have tried different configuration settings and enabled debugging on the server but noting that has shone any light.

Has anyone had any experience of the above error and could perhaps provide a solution or some pointers?

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]