Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

SAML Support in Domino 10

Daniel Nashed  15 July 2018 09:08:35
SAML support in Domino is limited to ADFS 2.0 / 3.0 and TFIM - Tivoli Federated Identity Manager in Domino 9.0.1.
We got other IdPs working like F5 by emulating some behavior that is ADFS implementation specific. But this wasn't a fully supported configuration.

With Domino 10 the plan is to have generic SAML 2.0 support and to be compatible with different type of SAML 2.0 implementations.
IBM/HCL cannot test all combinations before Domino 10 ships. But the plan is that if the provider is fully SAML 2.0 compliant it should work and you get support for it.

I have already looked into the new SAML support Domino 10 Beta 1 and have tested to configure it with Jumpcloud (https://jumpcloud.com/).
Jumpcloud is providing directory/authentication as a service. Some weeks ago I got a partner request to help implementing Domino with Jumpcloud.
We ran into issues because of some back-end limitations in the implementation in Domino 9.

With Domino 10 it works like a charm even without any extra tweaking.
In fact there are changes in the configuration which not only makes it more flexible to configure it for other SAML 2.0 compliant IdPs but also the configuration has been simplified.

The new configuration option that you can chose instead of "ADFS" is "AuthnRequest SAML 2.0 compatible".

Some details might still change but what I see so far really provides us with full SAML 2.0 support with a flexible and easy to use configuration.
When I first looked into SAML support when it was released with the limited available documentation, it was really difficult to setup.
With the new version I was able to configure SAML with Domino against a IdP like Jumpcloud in a couple of minutes.

Actually if you want to play around with SAML with the upcoming Domino 10 public beta , Jumpcloud is a great option.
You can get a free account for up to 10 users and you don't need to setup your own ADFS server.

-- Daniel

Comments

1Don  16.07.2018 12:32:27  SAML Support in Domino 10

This would be very good news, since we are using Okta and FP9 partially broke the SAML.

2Daniel Nashed  16.07.2018 15:27:33  SAML Support in Domino 10

Hmmm I see Okta has a 30-days free trial.

But maybe you can test it once Beta 2 is available and send me feedback?

If it doesn't work I can help you to sort it out :-)

3mathew murphy  16.07.2018 16:58:21  SAML Support in Domino 10

There seems to be a bug in the SAML implementation, such that if the user name matches a local address book entry, that takes preference over directory assistance -- even if the e-mail address and Notes ID don't match. I've not had much luck getting it looked at by development, though.

4Daniel Nashed  17.07.2018 14:34:23  SAML Support in Domino 10

Update: Mathew's issue sounds like a very specific issue.

We emailed offline and it does not look like a general issue.

Sounds like a very specific issue in his configuration.

-- Daniel

5Bernd Ries  21.07.2018 9:56:49  SAML Support in Domino 10

I can confirm that FP9 broke the OKTA SSO for us, i believe a bug with setting the RelayState, reverting back to FP8 fixed the problem.

6Don  12.02.2019 14:56:41  SAML Support in Domino 10

We've updated our own server to Domino 10.0.1 and most of the SAML settings work...

We've changed to "AuthnRequest SAML 2.0 compatible" but when we go to our own url then Domino does not redirect to the SAML login screen automatically.

I've entered the "Single sign-on service URL" and the "Artifact resolution service URL" but somehow when I login or logout directly Domino does not redirect.

Is there anything else that we should change now that we are on Domino 10?

(btw: when starting from Okta or go to the redirect url and then login works perfectly allready)

7Don  12.02.2019 20:59:21  SAML Support in Domino 10

Finally got it to work. Needed to modify the metadata.xml a little but eveything is working now!

Login / logout redirects to Okta perfectly!

Will probably check out ADFS also somewhere in the coming months. If anybody had some good documentation on this that would be nice... ;-)

8Kristian Aaskilde  19.02.2019 15:38:07  SAML Support in Domino 10

Don, what changes did you make to the metadata.xml file?

I have upgraded our Domino server to 10.0.1, replaced design on the idpcat.nsf, then changed it to use "AuthnRequest SAML 2.0 compatible".

However I do not see the Artifact resolution service URL in the metadata.xml file from OKTA so I have left that blank.

I can login via OKTA with one of our test users, but when it then hits Domino I get asked to login again and it doesn't work with the test user, but I can use my own user to get access.

I see some outputs in the Domino console, but I haven't made anything out of it yet.

"SECAuthnRequestSignData> SEC_CM_GETMeCerts error The cryptographic key was not found

[0624:000A-0CDC] 19-02-2019 09:44:45,19 SECAuthnRequestSignData> Exiting : 1731

[0624:000A-0CDC] ProduceSaml2AuthnReply: Unable to sign AuthnRequest The cryptographic key was not found"

Any assistance would be much appreciated.

Cheers

Kristian

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]