Cautioning client users about SAML and logout

Domino® and Notes® do not support a single logout feature, so if you configure SAML in your organization, make sure that your users employ safety methods at their desktops to prevent physical access to Notes and Domino resources.

IdP login and logout details

If a SAML IdP is configured to continuously remember that a user has logged in on a particular machine, the IdP may leave cookies or set other state to identify the user. Notes/Domino logout mechanisms do not affect the IdP, or the state of the user's desktop containing user information set by the IdP.

After a user has logged in to the SAML IdP, the IdP may seamlessly provide SAML assertions on behalf of the user to be accepted for authentication by a Domino server configured as a SAML SP. It is critical that the end user's computer is secured (for example, using an operating system "Lock computer" feature or password-protected screen saver) to prevent someone from walking up to the user's unattended machine and gaining access to Notes/Domino resources.

Especially for Domino web users sharing one desktop, there is potential for confusion at the IdP. Once a user has logged in at the IdP, the IdP might assume any subsequent usage is a continuation by the same user. This scenario can be avoided if multiple users at one desktop are required to log in as separate users to the operating system, and if the IdP is configured to authenticate any user by integrated Windows™ authentication using SPNEGO/Kerberos (IWA). If IWA is used at the IdP, the IdP will not confuse the users who have logged in separately to the operating system.