Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

SAML Support in Domino 10

Daniel Nashed  15 July 2018 07:08:35
SAML support in Domino is limited to ADFS 2.0 / 3.0 and TFIM - Tivoli Federated Identity Manager in Domino 9.0.1.
We got other IdPs working like F5 by emulating some behavior that is ADFS implementation specific. But this wasn't a fully supported configuration.

With Domino 10 the plan is to have generic SAML 2.0 support and to be compatible with different type of SAML 2.0 implementations.
IBM/HCL cannot test all combinations before Domino 10 ships. But the plan is that if the provider is fully SAML 2.0 compliant it should work and you get support for it.

I have already looked into the new SAML support Domino 10 Beta 1 and have tested to configure it with Jumpcloud (https://jumpcloud.com/).
Jumpcloud is providing directory/authentication as a service. Some weeks ago I got a partner request to help implementing Domino with Jumpcloud.
We ran into issues because of some back-end limitations in the implementation in Domino 9.

With Domino 10 it works like a charm even without any extra tweaking.
In fact there are changes in the configuration which not only makes it more flexible to configure it for other SAML 2.0 compliant IdPs but also the configuration has been simplified.

The new configuration option that you can chose instead of "ADFS" is "AuthnRequest SAML 2.0 compatible".

Some details might still change but what I see so far really provides us with full SAML 2.0 support with a flexible and easy to use configuration.
When I first looked into SAML support when it was released with the limited available documentation, it was really difficult to setup.
With the new version I was able to configure SAML with Domino against a IdP like Jumpcloud in a couple of minutes.

Actually if you want to play around with SAML with the upcoming Domino 10 public beta , Jumpcloud is a great option.
You can get a free account for up to 10 users and you don't need to setup your own ADFS server.

-- Daniel

Comments

1Don  16.07.2018 10:32:27  SAML Support in Domino 10

This would be very good news, since we are using Okta and FP9 partially broke the SAML.

2Daniel Nashed  16.07.2018 13:27:33  SAML Support in Domino 10

Hmmm I see Okta has a 30-days free trial.

But maybe you can test it once Beta 2 is available and send me feedback?

If it doesn't work I can help you to sort it out :-)

3mathew murphy  16.07.2018 14:58:21  SAML Support in Domino 10

There seems to be a bug in the SAML implementation, such that if the user name matches a local address book entry, that takes preference over directory assistance -- even if the e-mail address and Notes ID don't match. I've not had much luck getting it looked at by development, though.

4Daniel Nashed  17.07.2018 12:34:23  SAML Support in Domino 10

Update: Mathew's issue sounds like a very specific issue.

We emailed offline and it does not look like a general issue.

Sounds like a very specific issue in his configuration.

-- Daniel

5Bernd Ries  21.07.2018 7:56:49  SAML Support in Domino 10

I can confirm that FP9 broke the OKTA SSO for us, i believe a bug with setting the RelayState, reverting back to FP8 fixed the problem.

6Don  12.02.2019 13:56:41  SAML Support in Domino 10

We've updated our own server to Domino 10.0.1 and most of the SAML settings work...

We've changed to "AuthnRequest SAML 2.0 compatible" but when we go to our own url then Domino does not redirect to the SAML login screen automatically.

I've entered the "Single sign-on service URL" and the "Artifact resolution service URL" but somehow when I login or logout directly Domino does not redirect.

Is there anything else that we should change now that we are on Domino 10?

(btw: when starting from Okta or go to the redirect url and then login works perfectly allready)

7Don  12.02.2019 19:59:21  SAML Support in Domino 10

Finally got it to work. Needed to modify the metadata.xml a little but eveything is working now!

Login / logout redirects to Okta perfectly!

Will probably check out ADFS also somewhere in the coming months. If anybody had some good documentation on this that would be nice... ;-)

8Kristian Aaskilde  19.02.2019 14:38:07  SAML Support in Domino 10

Don, what changes did you make to the metadata.xml file?

I have upgraded our Domino server to 10.0.1, replaced design on the idpcat.nsf, then changed it to use "AuthnRequest SAML 2.0 compatible".

However I do not see the Artifact resolution service URL in the metadata.xml file from OKTA so I have left that blank.

I can login via OKTA with one of our test users, but when it then hits Domino I get asked to login again and it doesn't work with the test user, but I can use my own user to get access.

I see some outputs in the Domino console, but I haven't made anything out of it yet.

"SECAuthnRequestSignData> SEC_CM_GETMeCerts error The cryptographic key was not found

[0624:000A-0CDC] 19-02-2019 09:44:45,19 SECAuthnRequestSignData> Exiting : 1731

[0624:000A-0CDC] ProduceSaml2AuthnReply: Unable to sign AuthnRequest The cryptographic key was not found"

Any assistance would be much appreciated.

Cheers

Kristian

9Don  24.04.2019 12:22:30  SAML Support in Domino 10

Hi Kristian,

I'm sorry but I did not see your qeustion earlier but we have full documentation on how to get this working with Okta which I'm happy to provide.

Send an e-mail to info@changetocomm.nl if you want

10Don  24.04.2019 12:35:12  SAML Support in Domino 10

btw: the change to the metadata.xml: remove all spaces!

Okta generates this with line spaces so manually remove this in Notepad ++ first

11Don  10.05.2019 15:20:12  SAML Support in Domino 10

We're interested in trying out different options because we want to connect using a local supplier also but cannot get it to work.

@Daniel: do you have the configuration that works for you in Jumpcloud for us? Maybe we can try this out and see if this give us hints on the setup that is working.

12David Hablewitz  14.06.2019 18:23:56  SAML Support in Domino 10

Any word on if FP10 fixed the issues mentioned here that FP9 broke it? I am looking at setting up Domino 9.0.1 FP10 HF66 with Okta.

13Daniel Nashed  14.06.2019 20:23:14  SAML Support in Domino 10

@David, you really have to move to Domino 10.0.1 FP2!

Domino 9.0.1 has only support for ADFS and Tivoli!

Domino 10.x supports any SAML 2.0 provider and has enhancements to the confiuration as well to make installation easier.

But for anything that is not ADFS Domino 10 is acutally the only way to get it implemented without tweaks.

-- Daniel

14Lily  27.08.2019 3:43:52  SAML Support in Domino 10

Hi @Daniel,

Do you have any steps to configure Domino 10.0.1 and other IDPs using SAML 2.0 authentication? From the Domino user guide, I found it is difficult for me to configure, I hope you can give me some advice, I hope you have some steps to configure.

Thanks,

Lily

15Bernd Gewehr  11.09.2019 7:54:25  SAML Support in Domino 10

@Daniel, did you successfully test SAML with Domino V10 with AzureAD?

16Greg Walrath  04.11.2019 19:00:01  SAML Support in Domino 10

@Bernd - I have implemented Domino 10.0.1.2 in test and production with Azure AD. Mostly, it's working.

In production I'm in a weird situation. I've been using two load-balanced web servers for years for our Domino intranet. With all the setup done correctly, SAML authentication works great against one server, but the other. In the other server I see the error that Kristian noted above with SEC_CM_GETMeCerts error.

I have ticket open with HCL now trying to get this resolved.

17Ian  16.01.2020 15:39:05  SAML Support in Domino 10

@Daniel

We are looking to implement SSO for IBM Domino (both Client & Web), but using Azure AD.

Do you have any guides to follow on this or anything we need to be wary of during the setup?

Thanks

18John  08.04.2020 19:53:58  SAML Support in Domino 10

We have Domino 10.1 FP2 and are setting up SAML using third party idp. How are you handling name mapping between the idp (via the assertion) and Notes/Domino? Is it through Directory Assistance or other method? Or do you require the idp to use a certain attribute name for the user id?

Thanks

19Daniel Nashed  09.04.2020 9:00:53  SAML Support in Domino 10

@John, you need a common attribute. Currently only email is supported.

But others work as long they are unique in $users.

In SAML the NameID is mapped to the email address.

You have to have the email address in your IdP's directory and the IdP takes it from there.

-- Daniel

20John  09.04.2020 12:25:13  SAML Support in Domino 10

@Daniel, thanks for your response. The problem is that we are not using email as the unique identifier. It is a different value. And I cannot put that value in the user's email field in their user document in the NAB, because the email address is used in apps.

The situation you are describing sounds like the active directory setup, which this technically is not that. To your knowledge, is it possible for the IdP to send the unique identifier in a prescribed "field" in the assertion and for SAML on the Notes side to either inherently recognize and map to a value, say, in the user name field of the user doc or for us to map between the two?

Hopefully I am making sense with our requirements.

21Daniel Nashed  09.04.2020 21:46:57  SAML Support in Domino 10

@John, as I described. The only officially supported configuration is NameID to email address.

We got it working with another values that are unique in the $users view. But this is still not officially supported.

If you need to get this supported you have to contact HCL. I personally don't see an issue, but I cannot tell you that it is supported.

I see a support and not a technical issue. You could open a ticket and ask officially. Let me know how that goes. You can also contact me by email.

-- Daniel

22John  17.04.2020 14:57:09  SAML Support in Domino 10

@Daniel, we ended up getting it to work by using the InternetAddress field to store the unique identifier. I was trying to avoid that so that I did not have to remove the email value, but as we don't use Notes mail, it should not be a problem. We only need the MailAddress (Forwarding Address) to programmatically send emails.

What I did find was that SAML authentication first checks for InternetAddress. If the field is not empty, that is the only place it checks. If the field is empty, it will check the FullName (User name) field.

Someday down the line, it would be nice to figure out how to set up mapping or to do what you did, "We got it working with another values that are unique in the $users view." But for now we can make the out-of-the-box way work for us. Thanks again for your feedback.

23Paul  14.05.2020 14:56:22  SAML Support in Domino 10

Hi

We have Version 10 of Domino setting up an Azure Active Directory acting as the SAML token for Single Sign on.

We have managed to get this working for web based applications, however when we try to log on to the Notes client, we get the following error message after the message download ID from ID Vault:

'Network error: the message content was unexpected or the message has been corrupted'

We have tried different configuration settings and enabled debugging on the server but noting that has shone any light.

Has anyone had any experience of the above error and could perhaps provide a solution or some pointers?

24Rene  21.01.2021 13:11:31  SAML Support in Domino 10

@Daniel, thanks for your always brillient input.

We have an older SAML implementation working with both Domino R9.0.1 and Domino V11.0.1, where the SAML configuration was just moved from Domino 9 to Domino 11 when we migrated. No edit of the configuration.

SAML is only used for SSO Web login, and is configured usinf Internet Site documents.

We are trying to configure an ADFS 5.0 solution, but it seems like the Domino Webserver does not recognise og approve of the idp configuration, and is displaying an unusual white username/password login box. It is actually strange that the old yellow one is not displayed. No errors or warnings are displayed.

We can not figure out if the Domino webserver is ignoring the configuration or not picking it up at all.

Do you have any knowledge about Domino v11.0.1 and ADFS 5.0 support? I do not seem to be able to find any mentioning of this anywhere. I can find ADFS 4.0 mentioned.

25Daniel Nashed  22.01.2021 11:09:21  SAML Support in Domino 10

@Rene,

I have not looked into ADFS 5.0 but as long it is SAML 2.0 compliant Domino 10.0.1 and higher SAML configurations should work.

Sent you a mail with some detailed questions..

-- Daniel

26Henrik  20.05.2022 9:46:22  SAML Support in Domino 10

Hi,

Thanks for your blog. Using "AuthnRequest SAML 2.0 compatible", just fixed all the problems.

We don't have the users in the NAB.

Do you know if it is possible to access additional claims (e.g. company name or user role) from the SAML assertion?

27Mike Robinson  02.09.2022 8:49:15  SAML Support in Domino 10

I found this interesting. I am trying to configure federated logon with Notes and Domino 12 and jumpcloud. I keep getting this when I start HTTP task:

[0410:0002-1164] 09/02/2022 04:47:41 AM HTTP Server: SAML configuration error. SAML is enabled for server [web], but no active IdP configuration could be loaded.

[0410:0002-1164] 09/02/2022 04:47:41 AM HTTP Server: Warning - SAML and Windows Single Sign-on cannot be enabled together. Ignoring Windows Single Sign-on.

I can fix the second issue but how to fix the first issue? I noticed that the metadata from jump cloud doesn't include an encryption certificate and based on the tool tip in the IDP doc it implies that this should come from the metadata from the IDP. How did you get it to work with Domino?

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]