IBM Support

LO92969: ENHANCEMENT REQUEST OVERRRIDE SESSION AUTHENTICATION TO WORK WITH SAML

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as fixed if next.

Error description

  • Enhancement Request Overrride Session Authentication to work
with SAML
Customer is requesting an enhancement request  for Overrride
Session Authentication to work
with SAML
Override Session Authentication rules are not honored.


When SAML is enabled for an Internet Site, "Override Session
Authentication" rules are not honored.

For example, in case we have created a rule for all URLs
matching
*/api/* to force basic authentication for DAS access on the
SAML enabled site, Domino will always force SAML authentication
while disregarding this rule.

A workaround is to create a second site dedicated to the basic
authentication, which is however not always the desired case.

Tested on:

IBM Domino (r) Server (64 Bit) (Release 9.0.1FP8 HF238 for
Windows/64)
Currently product documentation indicates that behaviour is
working as designed as per reference
In presentation is indicated that its required to to have
different internet sites for SAML and not SAML enabled users.


Also in the presentation is indicated that if multiple sites at
the domino server needs to be SSL protected, each one nenes
their HTTPS url, each one needs its own SSL Keyring.kyr file
and each one needs its own ip address


Reference

https://connections.sutol.cz/files/basic/anonymous/api/library/3
5ab8921-e65e-4418-b7e6-3777f2075a1b/document/da91074b-2210-4696-
b6e0-5f1c24814654/media/Single.

JMP105 JumpStart:
Single Sign-on (SAML)
Administration Basics
IBM Page 33 of 41


Domino Internet site for SAML

 Domino administrator
  Creates and deploys the idpcat.nsf
  Decides the security configuration per deployed Internet
site.
Example deployment:
== Internet Site for users who should not be authenticated by
SAML.
  URL https://domino1-login.us.renovations.com/
==Internet Site for users in Active directory who should be
authenticated by ADFS IdP.
  URL https://domino1.us.renovations.com/

Local fix

  • Required to to have
different internet sites for SAML and not SAML enabled users

Problem summary

  • This APAR is closed as FIN. We have deferred the fix to a
 future release.

Problem conclusion

  • 



Temporary fix


    

  • 



Comments


    

  • This APAR is associated with SPR# BBSZAQWL5U.
This APAR is closed as FIN. We have deferred the fix to a
 future release.

    



APAR Information




    

  • APAR number
    LO92969
    • 

  • Reported component name
    DOMINO SERVER
    • 

  • Reported component ID
    5724E6200
    • 

  • Reported release
    901
    • 

  • Status
    CLOSED  FIN
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-09-05
    • 

  • Closed date
    2018-04-03
    • 

  • Last modified date
    2018-04-03
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSKTMJ","label":"Lotus Domino"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0.1","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            03 April 2018
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback