SECURING


Using Security Assertion Markup Language (SAML) to configure federated-identity authentication

Federated identity is a means of achieving single sign-on, providing user convenience and helping to reduce administrative cost. In Domino® and Notes®, federated identity for user authentication uses the Security Assertion Markup Language (SAML) standard from OASIS.

About this task

SAML authentication allows a user to authenticate once with a designated identity provider (IdP), after which the user can access any server that is partnered with the IdP. Both Notes client and web client users can make use of SAML-based authentication. Authentication depends upon signed XML identity assertions. The result for the user is transparent authentication and single-sign on with one-time authentication for multiple Domino web servers and applications, as well as any third-party applications that are also partnered with the IdP. The IdP determines the method of the one-time authentication; it might prompt the user for a password, or use a non-password authentication methods such as Integrated Windows™ authentication (SPNEGO/Kerberos) for users within an intranet.

There are three cases in which an organization may use SAML authentication. Your organization may need any or all of the configurations.


The administrator can set up a Domino server to use SAML authentication by making it a partner with an on-premises federated-identity server such as Microsoft Active Directory Federation Services (ADFS). The ADFS server becomes the identity provider (IdP), and the Domino server is registered with it as a provider of the SAML authentication service.

Domino supports both SAML 1.1 and SAML 2.0. The SAML version you use depends partially on your choice of identity provider. SAML 2.0 is recommended unless your organization has a specific reason to use SAML 1.1. SAML 1.1 may be required to support single sign-on with specific applications.

Depending on the level of SAML required for participating applications, the following identity providers that support SAML could serve as the federation for which Domino is the partner:

Table 1. SAML versions supported by identity providers
Identity Provider (IdP)SAML Version
IBM® Tivoli® Access Manager/Tivoli Federated Identity Manager (TAM/TFIM)SAML 1.1 or SAML 2.0
Microsoft™ Active Directory Federation Services (ADFS).

The following versions are supported:

  • 2.0 (Provided with Windows Server 2008 R2)
  • 3.0 (Provided with Windows Server 2012 R2)
  • 4.0 (Provided with Windows Server 2016)
SAML 2.0 required

Note:

Enabling SAML authentication may have unexpected results with RSS feeds if your organization uses them.

Compatibility

The following table lists client configurations with which SAML is not compatible or only partially compatible.

Table 2. Client configurations incompatible with SAML federated login
If your organization uses...SAML is not recommended because...
Smartcard protected IDFederated login user IDs cannot be Smartcard protected IDs, because the ID vault required for Notes federated login cannot be used with a Smartcard protected ID.
Notes roaming user whose ID file is stored on the server in a roaming personal address book.Federated login users cannot be Notes roaming users whose IDs are stored in a roaming personal address book, because the ID vault required for Notes federated login cannot be used with Notes IDs stored in a roaming personal address book.
Notes on a USB deviceFederated login cannot be used with Notes on a USB device, because the ID vault required for Notes federated login cannot be used with Notes on a USB device.
Notes user IDs with multiple passwordsFederated login user IDs cannot be Notes user IDs with multiple passwords, because the ID vault required for Notes federated login and cannot be used with IDs that have multiple passwords.
Server-based password checking for Notes usersDisable this feature on server platforms when configuring all Notes users for Notes federated login. Password checking can be enforced for non-federated login users, but cannot be enforced for federated login users.
Notes Single Login component installed with the Notes clientThis configuration is not supported with Notes federated login.
Notes basic client, Domino administrator clientThese clients are not supported with Notes federated login. The Notes standard client is required.

Procedure

Perform the following tasks.


Parent topic: Securing