Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Archives

April 2025 (1)
January 2025 (1)
December 2024 (1)
November 2024 (2)
October 2024 (2)
September 2024 (1)
July 2024 (1)
May 2024 (2)
April 2024 (3)
March 2024 (1)
February 2024 (2)
January 2024 (5)
December 2023 (3)
November 2023 (2)
October 2023 (1)
September 2023 (4)
June 2023 (1)
April 2023 (3)
March 2023 (1)
February 2023 (1)
July 2022 (1)
September 2021 (1)
August 2021 (2)
May 2021 (1)
February 2021 (3)
January 2021 (1)
November 2020 (1)
October 2020 (2)
September 2020 (2)
March 2020 (1)
November 2019 (1)
August 2019 (1)
July 2019 (1)
March 2019 (1)
December 2018 (1)
November 2018 (1)
October 2018 (1)
September 2018 (1)
May 2018 (1)
January 2018 (1)
December 2017 (1)
November 2017 (1)
September 2017 (1)
March 2017 (2)
February 2017 (5)
November 2016 (1)
September 2016 (4)
April 2016 (1)
March 2016 (7)
January 2016 (1)
December 2015 (1)
November 2015 (3)
August 2015 (1)
July 2015 (2)
June 2015 (5)
May 2015 (5)
March 2015 (3)
February 2015 (2)
January 2015 (4)
December 2014 (3)
November 2014 (1)
September 2014 (4)
August 2014 (1)
May 2014 (4)
April 2014 (1)
March 2014 (2)
February 2014 (3)
January 2014 (2)
October 2013 (1)
September 2013 (1)
August 2013 (2)
July 2013 (2)
March 2013 (2)
February 2013 (4)
January 2013 (3)
December 2012 (2)
November 2012 (1)
October 2012 (2)
September 2012 (4)
August 2012 (3)
July 2012 (1)
June 2012 (6)
May 2012 (1)
February 2012 (2)
January 2012 (1)
December 2011 (4)
November 2011 (2)
September 2011 (1)
May 2011 (2)
March 2011 (1)
January 2011 (1)
November 2010 (5)
October 2010 (2)
September 2010 (2)
August 2010 (1)
July 2010 (3)
June 2010 (1)

Domino SingleSignOn - Level 5 - SAML Federated Authentication for Browser Clients using ADFS

Thomas Hampel
 20 February 2017

This is the fifth post our of a series of blog posts describing how to move from password based to seamless authentication.
In previous posts I've been discussing LDAP and SPNEGO configurations which is okay for Windows environments, but not sufficient enough for mixed or very distributed environments.
Next stage is to enter the 21st century by using SAML authentication for your on premises servers.

Level 5 - SAML Federated Authentication for Browser Clients

SAML authentication - Security Assertion Markup Language - allows Browser clients to authenticate against Domino without submitting credentials to the Domino server.
When a browser client is trying to access a Domino resource (=Web site) where SAML is enabled, Domino will refer the browser to the SAML Identity Provider configured for this web site.
The Identity Provider (e.g. IBM Federated Identity Manager or Microsoft Active Directory Federation Services server) will authenticate a user either by prompting for username & password, or by using seamless authentication such as Windows integrated authentication / Kerberos. In both cases the authentication authority remains with the Identity Provider so thats where you define how a user is authenticated (WIA, 2FactorAuth, etc.).

Default scenario for an identity provider initiated logon is a web page proided by the ADFS server where users can select what resource they want to sign in to.
Image:Domino SingleSignOn - Level 5 - SAML Federated Authentication for Browser Clients using ADFS
it is also possible to initiate the authentication from the service provider. When Domino needs to authenticate a browser user, it will redirect the user to the identity provider.
Using ADFS it is possible to add an URL parameter that will redirect the authenticated user to another site.
https://your-adfs-server.company.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://domino.company.com/names.nsf

Pros and Cons

+ Seamless authentication for browser clients
+ Independent from operating system of server
- Does'nt work for Traveler
- This blog post only handles browser clients, but not the Notes client.

Idea and Concept

For a better understanding of the SingleSignOn SPNEGO and SAML please see Gabriella's presentation Simplifying The S's: Single Sign-On, SPNEGO and SAML

Prerequisites
  • You have completed Level 1 - LDAP Authentication
  • Domino Server must be running version 9.0.1 or above and -to be on the safe side- should have a current fix / feature pack applied
  • Microsoft ADFS 2.0 or 3.0 server (or any other supported SAML Identity Provider)
  • SSL is enabled on Domino and the ADFS server
  • Active Directory User Object must have an attribute (e.g. internet address) in common with the Domino Directory person document of the Notes user.
  • All servers involved in SAML authentication must use time synchronization because SAML depends on time stamps to be correct.

How to configure SAML for Domino

Andy Pedisich did a great job in pulling together all required information in his IBM Connect presentation SHOW100 - AD + SAML + Kerberos + IBM Notes and Domino = SSO!
Since the presentation already covers all the details, I'm only going to highlight the main actions
  • Set up and Configure a SAML Identity provider, e.g. Microsoft ADFS Server or a free alternative  
  • Create and configure the IDP Catalog (idpcat.nsf) - slide #32
  • Create a Relying Party Trust in ADFS
  • Update Internet Site Configuration to use SAML for session authentication instead of Multi Servers (SSO)
    Image:Domino SingleSignOn - Level 5 - SAML Federated Authentication for Browser Clients using ADFS
Although Andy's presentation includes more details on using SAML for the Notes client, I am keeping this blog post limited to browser clients as I will be publishing a blog post just for SAML authentication in the Notes client shortly.

Result:

Seamless authentication works fine as before but now using ADFS as identity provider.
Domino servers will never get the username/password of the users - your security folks will like that.
This is the foundation for establishing Multi-Factor Authentication based on ADFS / SAML by your ADFS admin.

References:
Comments [0]
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.