Enabling Nomad federated login

After setting up a Relying Party Trust, enable Nomad federated login in the Security Settings policy used for the ID vault and in the ID vault document.

Before you begin

  • Before you enable Nomad federated login for all Nomad users, consider enabling the Security Settings policy for a test user and test that Nomad federated login works for that user.
  • In any security policies that are applied to Nomad users whom you plan to include in Nomad federated login, disable synchronizing the Notes® client password with the Internet password.
  • See the table of client configurations that are incompatible with federated login in the topic Using Security Assertion Markup Language (SAML) to configure federated-identity authentication.

Procedure

  1. Enable Nomad federated login in the Security Settings policy:
    1. In the Domino® Directory, open the Security Settings policy used for Nomad users and assigned to your organization’s ID vault.
    2. Select the ID Vault tab and verify that there is an assigned vault used by Nomad federated login.
    3. Select the Password Management > Federated Login tab.
    4. Select Yes for Enable Nomad federated login with SAML IdP.
      Note: Uncheck (clear) the Don't set this Value field, which is checked by default.
    5. Under Additional settings for Federated Login, select Yes for Allow password authentication with the ID vault.
      Tip: After a user has been verified to be working with federated login, it is a recommended security improvement to change Allow password authentication with the ID vault to No. When password authentication with the ID vault is not allowed, the user is required to authenticate to the vault using federated login in order to download the user's ID. Because this policy setting controls Notes, Nomad, and Web behavior with the ID vault, change the setting to No only if federated login should be used exclusively.
      Note: You may need to select Enable Web Federated login with SAML IdP to see this option.
    6. Select the Keys and Certificates tab and complete the following steps to add the Notes® certifier of the Nomad users to the policy.
      Note: If Notes federated login is enabled for users who are also Nomad users, this step is completed already and you can skip it.
      1. In in the Administrative Trust Defaults section, click Update Links.
      2. Choose Selected supported and click OK.
      3. Select the Notes Certifiers tab, select the Organization certificates that signed the IDs of the Nomad users, and click OK.
      Note: If the IDs are signed by an Organization Unit (OU) certificate, include all certificates in the hierarchy, including the Organizational certificate.
    7. Click Save & Close.
  2. Enabled Nomad federated login in the ID vault document:
    1. From the Domino® Administrator, open the ID vault application (idvault.nsf), which by default is stored in the IBM_ID_VAULT directory.
    2. From the Configuration view, open the vault document for the vault that contains the Nomad user IDs.
    3. In the field Nomad federated login approved IdP configurations, enter the value specified in the Host names or addresses mapped to this site field of the IdP Configuration document created for Nomad federated login. For example, nomad.vault.safelinx.renovations.com.
      Note: You must include the nomad.vault. prefix, required for proper operation of Nomad federated login.
    4. Click Save & Close.

What to do next

Complete the procedure Exporting Notes certificates to a deploy.nsf file.