Enable Notes federated login to allow Notes clients users to start Notes and perform
secure operations without being prompted for a Notes ID password.
Before you begin
Complete the following prerequisites:
Procedure
- In the Domino Directory,
open the existing Security Settings policy for users of your organization’s
ID vault.
- On the ID Vault tab, make sure there
is an assigned vault.
- Select the tab.
- Select Yes for Enable Notes federated login
with SAML IdP.
- For client users who have upgraded to 9.0.1 Social Edition,
when the policy is initially being deployed, under Additional
settings for Federated Login (Notes or Web), select Yes
for Allow password authentication with the ID vault.
Tip: After a user has been verified to be working
with federated login, it is a recommended security improvement to
change Allow password authentication with the ID vault to
No. When password authentication with the ID vault is not allowed,
the user is required to authenticate to the vault using federated
login in order to download the user's id for either Notes or Web use.
Because this policy setting controls both Notes and Web behavior with
the ID vault, change the setting to No only if federated login should
be used exclusively.
- Optional: Create custom messages for users
to notify them when federated login is either enabled or disabled.
- Select the Keys and Certificates tab.
- To add the Notes certifier to the policy, in the
Administrative Trust Defaults section, click Update
Links.
- Choose Selected supported and click OK.
- Click the Notes Certifiers tab, select the certificates which signed the
IDs of the Notes users, and click OK.
Note: If the IDs are signed by an Organization Unit (OU) certificate, include all certificates in
the hierarchy, including the Organizational certificate.
- Click the Internet Cross Certificates tab, select the cross certificate
from the Notes root certifier to the certificate exported from either ADFS or TFIM 2.0, and click
OK.
- Click the Internet Certificates tab, select the SSL certificate exported
from either ADFS or TFIM 2.0, and click OK.
- Verify that a chain of at least three certificates is shown (more if there are organization
unit certificates): the Notes certifier at the top, the internet cross certificate in the middle,
and the internet certificate at the bottom. For example:
- Optional: Enter a formula under Machine
specific formula to apply the policy to specific computers
for clients who have multiple computers.
- Save and close the security policy.
- From the Domino Administrator, open the ID vault
application (idvault.nsf), which by default is stored in the
IBM_ID_VAULT directory. Complete the following steps:
- From the Configuration view, open the vault document for the vault that will be configured for
SAML authentication.
- In the field Notes federated login approved IdP configurations, enter
the host name from the Host names or addresses mapped to this site field of
the ID vault server IdP configuration document, for example
vault.domino1.us.renovations.com.
- Click Save & Close.