Domino Consulting - HCL Domino Administrator 11.0.1 Help

SECURING

Enabling Notes federated login

Enable Notes federated login to allow Notes clients users to start Notes and perform secure operations without being prompted for a Notes ID password.

Before you begin

Complete the following prerequisites:

If you are also using Web federated login, enable itEnable Web federated login to allow iNotes users to perform secure operations such as signing and decrypting messages without being prompted for a Notes ID password. and test that it works.
Before you enable Notes federated login for all Notes client users, enable it for a test user and test that Notes federated login works for that user.
In any security policies that are applied to Notes® users whom you plan to include in Notes federated login, disable synchronizing the Notes client password with the Internet password.
See the table of client configurations that are incompatible with federated login in the topicUsing Security Assertion Markup Language (SAML) to configure federated-identity authenticationFederated identity is a means of achieving single sign-on, providing user convenience and helping to reduce administrative cost. In Domino and Notes, federated identity for user authentication uses the Security Assertion Markup Language (SAML) standard from OASIS. .
Complete all the steps in the section Configuring ID vault servers for federated SAML loginComplete the steps in this section if you want to use Web federated login or Notes federated login. After enabled, iNotes users and Notes client users, respectively, access the Notes ID file in the ID vault without being prompted for the password. If your IdP is ADFS, you can also configure Integrated Windows Authentication (IWA) so that iNotes users or Notes clients users aren't prompted for the IdP name and password. .

Procedure

1. In the Domino Directory, open the existing Security Settings policy for users of your organization’s ID vault.

2. On the ID Vault tab, make sure there is an assigned vault.

3. Select the Password Management -> Federated Login tab.

4. Select Yes for Enable Notes federated login with SAML IdP.

5. For client users who have upgraded to 9.0.1, when the policy is initially being deployed, underAdditional settings for Federated Login (Notes or Web), select Yes forAllow password authentication with the ID vault.

Tip:

After a user has been verified to be working with federated login, it is a recommended security improvement to change

Allow password authentication with the ID vault

to No. When password authentication with the ID vault is not allowed, the user is required to authenticate to the vault using federated login in order to download the user's id for either Notes or Web use. Because this policy setting controls both Notes and Web behavior with the ID vault, change the setting to No only if federated login should be used exclusively.

6. Optional: Create custom messages for users to notify them when federated login is either enabled or disabled.

7. Select the Keys and Certificates tab.

8. To add the Notes certifier to the policy, in theAdministrative Trust Defaults section, click Update Links.

9. Choose Selected supported and click OK.

10. Click the Notes Certifiers tab, select the certificates which signed the IDs of the Notes users, and click OK.

Note:

If the IDs are signed by an Organization Unit (OU) certificate, include all certificates in the hierarchy, including the Organizational certificate.

11. Click the Internet Cross Certificates tab, select the cross certificate from the Notes root certifier to the certificate exported from either ADFS or TFIM 2.0, and clickOK.

12. Click the Internet Certificates tab, select the SSL certificate exported from either ADFS or TFIM 2.0, and click OK.

13. Verify that a chain of at least three certificates is shown (more if there are organization unit certificates): the Notes certifier at the top, the internet cross certificate in the middle, and the internet certificate at the bottom.

For example:

An an example of a chain of three certificates.

14. Optional: Enter a formula under Machine specific formula to apply the policy to specific computers for clients who have multiple computers.

15. Save and close the security policy.

16. From the Domino Administrator, open the ID vault application (idvault.nsf), which by default is stored in theIBM_ID_VAULT directory. Complete the following steps:

From the Configuration view, open the vault document for the vault that will be configured for SAML authentication.

b. In the field Notes federated login approved IdP configurations, enter the host name from the Host names or addresses mapped to this site field of the ID vault server IdP configuration document, for examplevault.domino1.us.renovations.com.

c. Click Save & Close.

What to do next

Testing Notes federated loginIf you enable Notes federated login, use your test user to test that it is working.

Testing Notes federated login

If you enable Notes federated login, use your test user to test that it is working.

Using Notes federated login in combination with Notes Shared Login to support offline users (Windows only)
If your organization uses Windows™ for your Notes clients, you can configure a combination of Notes federated login and the Notes shared login feature. The Notes shared login feature ensures that the Notes user will not be prompted for an ID file password, and this feature is needed if the Notes client operates offline. If there is any situation where the Notes client id file is missing from the desktop, Notes federated login feature ensures that SAML authentication can be used to retrieve the user's ID file from the vault (SAML authentication must be accomplished when the Notes client is operating online).

Parent topic: Using Security Assertion Markup Language (SAML) to configure federated-identity authentication

Help on Help

All Help Contents

Help on Help

All Help Contents