Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

Domino 10.0.1 FP1 SAML, iNotes, Traveler, ID-Vault working together

Daniel Nashed  9 April 2019 11:08:48
There is an issue in Domino 9.0.1 FP10 and earlier which Milan Matejic posted about and there is also an official technote related to it.

https://milanmatejic.wordpress.com/2019/04/05/saml-ibm-notes-traveler-encrypted-e-mails-issue/

When I read the post I was sort of confused because there are also changes in Domino 10.0.1 FP1 which sound very similar. I had a pending post for FP1 for more detailed information for the notes.ini parameters added.

I checked offline with Milan and we figured out that the new notes.ini settings introduced in FP1 address the same issue he got an hotfix for in 9.0.1 FP10.


With the hotfix Milan got the same notes.ini parameter DISABLE_SAML_FLAG=1 which needs to be set on the server.

The same functionality is available in 10.0.1 FP1 along with another new functionality.

The SPR descriptions for the notes.ini are a bit short. So I asked for a more detailed description (see below).


This addeses issues with iNotes and Traveler. And could also fix issues when another application is using the same C-API calls.

In this case the user wasn't able to decrypt a mail. Also the second parameter could be useful! So if you have SAML enabled for Notes Clients not for HTTP only specially for Traveler you should have both parameters in place!

I did not run into this before, because most of my customers only use SAML for HTTP authentication and not for Notes-Client authentication.

Here is the official technote


User ID files may fail to synchronize with ID Vault for users who are enabled for Web Federated Login or Notes Federated Login

https://www.ibm.com/support/docview.wss?uid=swg21990021


And below you find descriptions from the SPR fixlist along with a more detailed description.

The notes.ini entry can also be helpful if you are leveraging the underlaying C-API calls in your own application and needs to be set on the machine where the code is executed!


-- Daniel



SPR# RGAU9VLHT3
- On the domino server set the following notes.ini (DISABLE_SAML_FLAG=1) to allow for an ID vault sync with a SAML user via the SecIdfget function.

------------------------------------------


DISABLE_SAML_FLAG=1
- There has been a limitation in the public C-API call SecidfGet() that sends the server the client's capabilities.

In this case it was sending to the server that the client could hande SAML as authentication for ID Vault ID download.

The SecidfGet() API does not support SAML for download. It only works with password. But the server will pick SAML over password if the user is enabled for SAML in their effective policy.

iNotes and Traveler are using API when attempting to download the ID file from the Vault, if the ID file is not found in the mail file or the password does not work against the ID file in the mail file.

If the user was configured for SAML in the policy then SECidfGet() would fail and the user would not get the ID file pulled from the Vault and iNotes could not do secure mail operations.

A Notes applications that called this API would have the same issue and would need to set this Notes.ini on the local machine, in order to get it to work.




SPR# LIBAB59NUY
- The ability to enable the upload of a notes ID to the mail file via iNotes can now be enabled on the server using the notes.ini of ENABLE_IDUPLOAD_FOR_SAML=1.

------------------------------------------


ENABLE_IDUPLOAD_FOR_SAML=1
- In this case the customer was attempting to import their ID file into their mail file.
However with SAML enabled for the user the ID file was only being loaded into memory as SAML loads the id file into memory.
So the user would have to import the ID file for each session. With the Notes.ini set, the import will attach the ID file to the Mail file and also push it to the ID Vault


Comments

1Andrey Step  11.04.2019 11:25:19  Domino 10.0.1 FP1 SAML, iNotes, Traveler, ID-Vault working together

It is not clear where to use the second parameter ENABLE_IDUPLOAD_FOR_SAML = 1?

There are three servers - IDVault, Mail (without IDVAULT) and Traveler. Where to use the second parameter? On the mail, traveler or maybe on idvault?

Is it possible to use the parameter on the client side, where only SAML authorization is used?

Thanks for your useful blog!

2Daniel Nashed  11.04.2019 11:56:31  Domino 10.0.1 FP1 SAML, iNotes, Traveler, ID-Vault working together

@Andrey, the notes.ini needs to be set on the machine that exectues the code.

For example on a Traveler server or a Mail server with iNotes.

Does that help?

-- Daniel

3Andrey Step  17.04.2019 13:12:46  Domino 10.0.1 FP1 SAML, iNotes, Traveler, ID-Vault working together

@Daniel, thank you.

I checked on the server iNotes. The Domino server has been upgraded to version 10 and two parameters DISABLE_SAML_FLAG = 1 and ENABLE_IDUPLOAD_FOR_SAML = 1 are applied. Reading encrypted emails is now available.

I have been waiting for a solution for two years. And manually uploaded the id-file to the mail database profile.

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]