Nomad federated login configuration components

Configuring Nomad federated login involves the following components. Note that there are additional prerequisite components beyond these as described in Prerequisites for Nomad federated login.

IdP Configuration document

This document is created in the IdP Catalog (idpcat.nsf). For Nomad federated login, it allows an ID vault server to act as a SAML Service Provider to communicate with your SAML Identity Provider (IdP) to authenticate Nomad for web browser users when they connect to Domino applications during setup.

The IdP Configuration document:

  • Defines aspects of your SAML identity provider (IdP) such as the SAML protocol it uses, its service login URL, and its SAML assertion encryption and signing certificates. You import a metadata .xml file previously exported from your IdP into the document, which adds this information automatically.
  • Specific to the Nomad federated login IdP Configuration document is a Nomad Postback URL field. This field is what the IdP redirects to with the SAML assertion after a user has been authenticated through the IdP.
  • Is used to create a new TLS certificate and keys for the ID vault server required for encrypted SAML assertions from the IdP.
  • Is used to save the new TLS certificate and private key to the ID vault server ID file.
  • Is used to create a ServiceProvider.xml. This file defines information about the ID vault server, including the new certificate and public key, and is imported into the IdP Relying Party Trust.

For more information, see Creating an IdP Configuration document for Nomad federated login.

Relying Party Trust

The ServiceProvider.xml file created with the IdP Configuration document is imported into a Relying Party Trust that you configure on your IdP. The file provides the required configuration information about the Domino ID vault Service Provider to your IdP automatically. Each IdP has its own steps for creating a Relying Party Trust. In this documentation, we provide an example creating the Trust with Active Directory Federation Services (ADFS) 4.0.

For more information, see Setting up a Relying Party Trust for the ID vault server used by Nomad federated login.

Security Settings

As part of Nomad server setup, Nomad for web browser users are required to have a Security Settings document assigned to them that is enabled to use the ID vault. You enable Nomad federated login in this same document through the field Enable Nomad federated login with SAML IdP in the Password Management > Federated Login tab. In addition, you use the Keys and Certificates tab to add a link to the Notes® organization certifier of the Nomad users to the policy. For more information, see Enabling Nomad federated login.

ID vault document

In the ID vault document for the ID vault used by Nomad for web browser users, you specify the Nomad server (SafeLinx) host name preceded by the prefix nomad.vault in the Nomad federated login approved IdP configurations field. The prefix is used to indicate a trusted Nomad federated login Service Provider. For more information, see Enabling Nomad federated login.

deploy.nsf

From the Domino directory, you use options to export the Notes organization certifier specified in the Keys and Certificates tab of the Security Settings to a file called deploy.nsf. This file is then copied to the Nomad server. The Nomad for web browsers client accesses the deploy.nsf file on the Nomad server and as part of client setup it copies the organization certifier into the Personal Address Book, which is required for Nomad federated login.

For more information, see Exporting Notes certificates to a deploy.nsf file.