SECURING
Complete the following Domino configuration that is required by SAML.
Single Sign-on
If users will access more than one Domino server or WebSphere and Domino servers, single sign-on is required. Configure single sign-on and test that it works before configuring SAML authentication. Using multi-server session authentication rather than single-server session authentication is a best practice. For more information, see Multi-server session-based authentication (single sign-on).
TLS certificate
If your users require secure HTTPS connections for accessing the Domino server, or if you have mobile clients, configure a valid TLS certificate on the Domino Web servers. The certificate should be generated from a Certificate Authority (CA) rather than be self-signed; most current browsers do not support self-signed certificates. For more information, see Managing TLS certificates with Certificate Manager.
Note: If you use only Notes federated login and not basic Web SAML authentication or Web federated login, a TLS certificate is not required on Domino servers. With Notes federated login, neither Notes client nor ADFS servers connect to Domino server over HTTPS.
Security settings
Configure the following security settings:
Because SAML configuration requires cooperating configuration for Domino and for the identity provider (IdP), Domino Web server configuration should first be fundamentally sound when being used independently of an IdP. Therefore, before configuring SAML, consider setting up the Domino HTTP server for single-server session authentication. This task includes configuring Domino to log in as a Web user (for example, the Domino administrator that has been configured in the Domino Directory during the Domino server setup). After you as this administrator are able to log in as the Domino user, successfully browsing to URLs on the Domino server, the server is ready for SAML configuration and enablement.
Clock synchronization
Important: SAML authentication includes timestamps. Ensure that the SAML IdP computer and the Domino SAML service provider computer have their clocks synchronized so that these computers share the same notion of current time. If clocks are too far out of sync, a SAML assertion may be rejected because the assertion appears to have an invalid time. This is particularly problematic if the IdP machine time is ahead of the Domino server time, so that Domino rejects an assertion which appears to specify a future time.
For information on NOTES.INI settings that may avoid clock skew, see the following articles in the Notes and Domino wiki:
Preparing to access the ID vault with SAML For Web federated login, Notes federated login, or Nomad federated login, an ID vault must be set up and participating users must have IDs in the vault.
Configuring directory name mapping (ADFS only) If you use ADFS, you may need to configure directory name mapping between Domino and Active Directory.