Before you begin

Tip: The Domino ID vault server participating in federated login typically does not have the Domino Web server configured, but your organization may use such a combination if necessary. If the Domino ID vault server is configured as a Domino Web server, you may be able to use a single SAML partnership for both the Web server and the ID vault server. When the vault server is also a Web server, follow the procedure in the related topic on enabling the Domino Web server to provide SAML authentication, instead of this procedure, to configure the ID vault server.

About this task

Notes federated login requires four components:

• A Notes client user environment
• Domino home server for Notes client users
• Notes ID vault
• SAML Identity Provider (IdP)

1. Deploying the ID vault and security policy for Notes federated login
If the Domino ID vault and a security policy do not already exist, the vault administrator creates the vault to support federated login for Notes client users, as well as a security policy to apply to such users. It is also recommended that the administrator log in as a test user to test the deployment of the vault before completing the next task for configuring federated login.

2. Setting up the SAML identity provider and federation
Decide whether your organization will use Microsoft™ ADFS or IBM® Tivoli® Federated Identity Manager (TFIM) as the identity provider for Domino and Notes, and then follow all instructions to set up your TFIM federation or ADFS Relying Party Trust to support SAML authentication for Notes federated login. The tasks you must accomplish include creating the SAML federation and exporting the IdP information to a metadata file.

3. Enabling the Domino ID vault server to support Notes federated login
The Domino administrator specifies SAML configuration settings for Notes federated login in IdP Configuration document(s) in the IdP Catalog (idpcat.nsf) application.

4. Configuring the ID vault for Notes federated login
The Domino ID vault administrator sets up the vault to specify the name of the IdP Catalog document for the SAML identity provider (IdP).

5. Using a security settings policy to apply a Notes federated login configuration to client users
After SAML-based federated login is configured on your Domino server and identify provider (IdP), you can assign its use to Notes client users through the security policy.

6. Using Notes federated login in combination with Notes Shared Login to support offline users (Windows only)
If your organization uses Windows™ for your Notes clients, you can configure a combination of Notes federated login and the Notes shared login feature. The Notes shared login feature ensures that the Notes user will not be prompted for an ID file password, and this feature is needed if the Notes client operates offline. If there is any situation where the Notes client id file is missing from the desktop, Notes federated login feature ensures that SAML authentication can be used to retrieve the user's ID file from the vault (SAML authentication must be accomplished when the Notes client is operating online).

7. Cautioning client users about SAML and logout
Domino and Notes do not support a single logout feature, so if you configure SAML in your organization, make sure that your users employ safety methods at their desktops to prevent physical access to Notes and Domino resources.

Related tasks
Enabling the Domino Web server to provide SAML authentication

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Feedback on Help or Usability?

Help on Help