Proving that Domino can integrate with several other technologies is something we do on a regular basis, just to show the customers that Domino is an open platform.
For authentication, we did already several SSO configurations between Domino Directory and MS Active Directory by using ADFS and SAML authentication.
We now have a question from a customer that is using O365 heavily. They have Domino running with some applications that are integrated in Sharepoint and they use the HCAA Notes client for certain users that need to open the Domino databases in a client. 2 years ago we have set up an ADFS infrastructure with an ADFS Proxy for external access and configured SSO between Domino and Active Directory for web access and HCAA access so that users can log in in the applications with their Microsoft credentials.
The customer has a synchronization set up between Active Directory and Azure Active Directory and wants to migrate the Domino SSO from on-prem ADFS to Azure AD.
In the beginning, Domino supported only a certain set of Identity Providers, although we managed to set up SSO between Domino and other non-supported IDPs successfully 🙂
Now Domino officially supports Azure Active Directory as an Identity Provider (IDP) so I thought we have no excuse to set up what the customer wants. Before setting this up at the customer, I’ve set up a test environment at GroupWave with an SSL protected site and of course I’m sharing the technical details with whomever is interested because that’s just what HCL Ambassadors do 🙂
Azure Active Directory (AAD) settings
To be able to manage AAD you need to go the Azure Active Directory Admin center, https://aad.portal.azure.com Click on Enterprise applications and then on New Application to be able to register the Domino website as as an application
Create your own application
Fill in a name that you choose and select to register the application to integrate with AAD and click the create button
Once the application is created, you will be directed to the configuration page of the application.
Click on Set up single sign on and choose for SAML authentication.
You will have to fill in the URL of the application that you want to link, this is the URL of your Domino internet site. As an attribute you can go with the defaults, you need to be sure that user.mail is in there so that you use the internet mail address as a unique identifier between the two directories.
Download the federation Metadata XML file
Assign a test user or a group to your application so that they can authenticate
Go to your Domino Administrator client and create and IDP Catalog database on your server. Make sure you give it the name idpcat.nsf and select Show Advanced templates to be able to see the IdP Catalog template in the list.
In the IdP Catalog database, click on Add IdP Config and fill in the following fields
In the hostname field, fill in the name of the internet site and the IP Address that you use
In the Service Provider ID fill in the URL of the site In the IdP name field you may fill in a name as a reference for yourself, this field is just a comment.
Click on the button Import XML file and browse to the XML file you downloaded from your Enterprise Application.
This import will fill in the Single sign-on service URL Field and the fields on the Advanced tab of the configuration document.
Save the document with Ctrl-S to be able to go to the next step. On the certificate Management tab, click on the button Create SP Certificate
You will be asked to fill in a Company name, you may fill in whatever you want
Double click in the IdP Configuration document and fill in the Domino URL, in this case HTTPS://calendar.groupwave.be
Click on the button Export SP XML and you will see the ServiceProvider.xml file getting attached to the document. Save and Close the document and go to your internet sites view to change the affected site.
In your internet site document, go to the tab Domino Web Engine and change the Session authentication type to SAML
When you click on the button Open IdP Configuration, you will be redirected to the correct IdP Configuration document that you created.
Save and close you Internet site document and restart the HTTP Task on your Domino Server.
Open up your browser and surf to the URL of your application. In this case it is https://calendar.groupwave.be You will see that you get redirected to Office 365 and if you were already logged in, than you will be redirected to Domino.
Andy Higgins said:
This functionality is nice and has worked for some time – I have used this to set up SAML SSO with Domino and O365. However, they are couple of limitations that I would like to see HCL fix:
1. There is no support on the Domino side for a Single Logout SAML option, so it’s not a clean logout when you leave – there is a “HCL idea” ticket open on this:
2.There is no Domino security support for access to the Domino DB’s i.e. no support of ACLs, which would be nice… IMHO, this could be done using the SAML assertions which would allow hierarchical names to be passed over and then used by ACL access:
LikeLiked by 1 person
Hi Andy, I don’t quite understand your second point. You use the email address as a unique ID to identify the AD user and match it with the Domino user. Once this match is done, you can use this hierarchical name in ACL verification, no ?
Dagfinn Rasmussen said:
Thanks for making this post.
This worked flawlessly when testing out the guide, but one question..
Is there any way to also enable Domino login? We provide our software portfolio to a wide range of customer and also want the ability to log in with a domino admin user that is not linked to 365.
you can create a website rule to Override Session Authentication and link it for instance to /admin
Dagfinn Rasmussen said:
Dagfinn Rasmussen said:
Have anyone solved redirect to the correct place ?
For example if we have a mail notification with a link to a document and you click it, it first authenticates and then redirects to the base URL and not the actual document.