Domino SingleSignOn - Level 5 - SAML Federated Authentication for Browser Clients using ADFS
Thomas Hampel
20 February 2017This is the fifth post our of a series of blog posts describing how to move from password based to seamless authentication.
In previous posts I've been discussing LDAP and SPNEGO configurations which is okay for Windows environments, but not sufficient enough for mixed or very distributed environments.
Next stage is to enter the 21st century by using SAML authentication for your on premises servers.
Level 5 - SAML Federated Authentication for Browser Clients
SAML authentication - Security Assertion Markup Language - allows Browser clients to authenticate against Domino without submitting credentials to the Domino server.
When a browser client is trying to access a Domino resource (=Web site) where SAML is enabled, Domino will refer the browser to the SAML Identity Provider configured for this web site.
The Identity Provider (e.g. IBM Federated Identity Manager or Microsoft Active Directory Federation Services server) will authenticate a user either by prompting for username & password, or by using seamless authentication such as Windows integrated authentication / Kerberos. In both cases the authentication authority remains with the Identity Provider so thats where you define how a user is authenticated (WIA, 2FactorAuth, etc.).
Default scenario for an identity provider initiated logon is a web page proided by the ADFS server where users can select what resource they want to sign in to.
it is also possible to initiate the authentication from the service provider. When Domino needs to authenticate a browser user, it will redirect the user to the identity provider.
Using ADFS it is possible to add an URL parameter that will redirect the authenticated user to another site.
https://your-adfs-server.company.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://domino.company.com/names.nsf
Pros and Cons
+ Seamless authentication for browser clients
+ Independent from operating system of server
- Does'nt work for Traveler
- This blog post only handles browser clients, but not the Notes client.
Idea and Concept
For a better understanding of the SingleSignOn SPNEGO and SAML please see Gabriella's presentation Simplifying The S's: Single Sign-On, SPNEGO and SAML
Prerequisites
- You have completed Level 1 - LDAP Authentication
- Domino Server must be running version 9.0.1 or above and -to be on the safe side- should have a current fix / feature pack applied
- Microsoft ADFS 2.0 or 3.0 server (or any other supported SAML Identity Provider)
- SSL is enabled on Domino and the ADFS server
- Active Directory User Object must have an attribute (e.g. internet address) in common with the Domino Directory person document of the Notes user.
- All servers involved in SAML authentication must use time synchronization because SAML depends on time stamps to be correct.
How to configure SAML for Domino
Andy Pedisich did a great job in pulling together all required information in his IBM Connect presentation SHOW100 - AD + SAML + Kerberos + IBM Notes and Domino = SSO!
Since the presentation already covers all the details, I'm only going to highlight the main actions
- Set up and Configure a SAML Identity provider, e.g. Microsoft ADFS Server or a free alternative
- Create and configure the IDP Catalog (idpcat.nsf) - slide #32
- Create a Relying Party Trust in ADFS
- Update Internet Site Configuration to use SAML for session authentication instead of Multi Servers (SSO)
Result:
Seamless authentication works fine as before but now using ADFS as identity provider.
Domino servers will never get the username/password of the users - your security folks will like that.
This is the foundation for establishing Multi-Factor Authentication based on ADFS / SAML by your ADFS admin.
References: