SECURING
Federated identity is a means of achieving single sign-on, providing user convenience and helping to reduce administrative cost. In Domino® and Notes®, federated identity for user authentication uses the Security Assertion Markup Language (SAML) standard from OASIS.
About this task
SAML authentication allows a user to authenticate once with a designated identity provider (IdP), after which the user can access any server that is partnered with the IdP. Both Notes client and web client users can make use of SAML-based authentication. Authentication depends upon signed XML identity assertions. The result for the user is transparent authentication and single-sign on with one-time authentication for multiple Domino web servers and applications, as well as any third-party applications that are also partnered with the IdP. The IdP determines the method of the one-time authentication; it might prompt the user for a password, or use a non-password authentication methods such as Integrated Windows™ authentication (SPNEGO/Kerberos) for users within an intranet.
There are three cases in which an organization may use SAML authentication. Your organization may need any or all of the configurations.
Domino supports both SAML 1.1 and SAML 2.0. The SAML version you use depends partially on your choice of identity provider. SAML 2.0 is recommended unless your organization has a specific reason to use SAML 1.1. SAML 1.1 may be required to support single sign-on with specific applications.
Depending on the level of SAML required for participating applications, the following identity providers that support SAML could serve as the federation for which Domino is the partner:
Table 1. SAML versions supported by identity providers
The following versions are supported:
Note:
Enabling SAML authentication may have unexpected results with RSS feeds if your organization uses them.
Compatibility
The following table lists client configurations with which SAML is not compatible or only partially compatible.
Table 2. Client configurations incompatible with SAML federated login
Procedure
Perform the following tasks.
Configuring basic SAML authentication for Web servers Complete the following tasks to enable basic SAML authentication for Web servers.
Configuring ID vault servers for federated SAML login Complete the steps in this section if you want to use Web federated login or Notes federated login. After enabled, iNotes users and Notes client users, respectively, access the Notes ID file in the ID vault without being prompted for the password. If your IdP is ADFS, you can also configure Integrated Windows Authentication (IWA) so that iNotes users or Notes clients users aren't prompted for the IdP name and password.
Enabling Web federated login Enable Web federated login to allow iNotes users to perform secure operations such as signing and decrypting messages without being prompted for a Notes ID password.
Enabling Notes federated login Enable Notes federated login to allow Notes clients users to start Notes and perform secure operations without being prompted for a Notes ID password.
Enabling IWA (ADFS only) When Integrated Windows Authentication (IWA) is used, users on Windows clients are not prompted for the ADFS login name and password when they access servers on the corporate intranet. IWA is available for basic SAML authentication, Notes federated login, and Web federated login.
Generating a certificate to encrypt SAML assertions Your organization may require SAML assertions to be encrypted if assertions include attributes that contain sensitive personal data, for example, social security numbers. Domino encrypts entire SAML assertions; partial encryption of specific attributes is not available.
Cautioning client users about SAML and logout Domino and Notes do not support a single logout feature, so if you configure SAML in your organization, make sure that your users employ safety methods at their desktops to prevent physical access to Notes and Domino resources.