Enable Web federated login to allow iNotes users to perform secure operations such as signing and decrypting messages without being prompted for a Notes ID password.

Before you begin

Complete the following prerequisites:

• See the table of client configurations that are incompatible with federated login in the topicUsing Security Assertion Markup Language (SAML) to configure federated-identity authenticationFederated identity is a means of achieving single sign-on, providing user convenience and helping to reduce administrative cost. In Domino and Notes, federated identity for user authentication uses the Security Assertion Markup Language (SAML) standard from OASIS. .
• Complete all the steps in the section Configuring basic SAML authentication for Web serversComplete the following tasks to enable basic SAML authentication for Web servers..
• Complete all the steps in the section Configuring ID vault servers for federated SAML loginComplete the steps in this section if you want to use Web federated login or Notes federated login. After enabled, iNotes users and Notes client users, respectively, access the Notes ID file in the ID vault without being prompted for the password. If your IdP is ADFS, you can also configure Integrated Windows Authentication (IWA) so that iNotes users or Notes clients users aren't prompted for the IdP name and password. .

Before enabling Web federated login for all iNotes users, enable it for the test user you created for testing SAML authentication and test that Web federated authentication works for that user.

Procedure

1. In the Domino directory, open the existing Security Settings policy for users of your organization’s ID vault.

2. On the ID Vault tab, make sure there is an assigned vault.

3. Select the Password Management -> Federated Login tab.

4. Select Yes for Enable Web federated login with SAML IdP.

5. Select Set value whenever modified for How to apply this setting.

6. For iNotes deployments that have been upgraded to the current release, when the policy is initially being deployed, select Additional settings for Federated Login (Notes or Web) > Allow password authentication with the ID vault >Yes.

Note: After a user has been verified to be working with federated login, a recommended security improvement is to change Allow password authentication with the ID vault to No. When password authentication with the ID vault is not allowed, users are required to authenticate to the vault with federated login in order to download the user's ID for either Notes or Web use. Change Allow password authentication wih the ID vault to No only if it is the case that neither iNotes nor Notes should allow password authentication to the ID vault.

Results

For any iNotes® user to whom the policy applies, the settings for Notes federated login will be activated on the user's next login.

What to do next

Test Web federated loginAfter enabling Web federated login in the ID vault policy, do a test login.

Testing Web federated login
After enabling Web federated login in the ID vault policy, do a test login.

Related information
Creating and configuring an ID vault

Help on Help

All Help Contents

Help on Help