Preparing Active Directory Federation Services (ADFS)

If your IdP is Microsoft™ Active Directory Federation Services (ADFS), complete these steps to prepare to use ADFS with Domino. make sure you meet the following requirements before you configure SAML in Domino®.

About this task

These steps are based on ADFS 4.0 and may vary if you use an earlier version.

Procedure

  1. Verify that you meet the following requirements:
    • One of the following versions of ADFS installed and configured:
      • 2.0 (Provided with Windows Server 2008 R2)
      • 3.0 (Provided with Windows Server 2012 R2)
      • 4.0 (Provided with Windows Server 2016)
    • A Secure Sockets Layer (SSL) certificate on the ADFS server that is signed by a Certificate Authority (CA). The CA root cert should be deployed by a domain policy to clients, an ADFS best practice.
    • The following components must be in the same Active Directory domain, unless Active Directory trust relationships are in place:
      • ADFS server
      • User records
      • Client computers from which users log in. (Integrated Windows™ Authentication only)
  2. Verify that your ADFS server is operational. For steps, see the Microsoft article Verify That a Federation Server Is Operational.
  3. Go to https://<ADFS server hostname>/adfs/ls/IdpInitiatedSignon.aspx and test that a user can log in.
    • If you see the error This page cannot be displayed, enable the IdP sign on page:
      1. In a Windows PowerShell on the ADFS server, run the following command: 
        Get-AdfsProperties
      2. See if the line EnableIdpInitiatedSignonPage in the output is False: 
        EnableIdpInitiatedSignonPage    :False
      3. If the value is False, run the following command to set it to True:
        set-ADfsProperties -EnableIdPInitiatedSignonPage $true
      4. Run the following command to confirm the change: 
        Get-AdfsProperties
      5. Restart the ADFS service.
    • If you are unable to log in with Internet Explorer, verify that the browser is enabled for Integrated Windows Authentication:
      1. In Internet Options > Advanced, verify that the security setting Enable Integrated Windows Authentication is checked.

      2. In Internet Options > Security, click Sites and then Advanced. Add the ADFS server URL (https://<ADFS server>) to the list of websites.
  4. Verify that the content of the following two fields match for each user:
    • The Internet address field in the Domino directory Person document.
    • The E-mail field in the user ADFS properties box.
    Note: User login names are not the same as their email addresses, though they can look like email addresses.