Troubleshooting Nomad federated Login

If Nomad federated login is working, a user who has not set up Nomad for web browsers can connect to the Nomad server without being prompted for a Notes ID during setup. If you encounter a problem with Nomad federated login, the following sections describe common issues and workarounds.

Message: "HCL Nomad will be setup automatically"

When the user is asked to click Continue during setup, it is because Nomad was unable to create and access a hidden IFRAME element in the browser. This is usually because one or more of the HTTP headers from the IdP were missing or incorrect.

The browser’s console should provide more information about what is wrong.

If the message is Refused to frame '<url>' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self', it is working as intended as the IFRAME is not allowed.
If the message is The ‘Content-Security-Policy’ is incorrect, then the Content-Security-Policy header from the IdP needs to be fixed.
If the console doesn’t contain messages from 1 or 2, the problem is likely one or both of the following headers from the IdP:
- Cross-Origin-Embedder-Policy must be require-corp
- Cross-Origin-Resource-Policy must be cross-origin

If the message is

The path of the provided scope ('/') is not under the max
                    scope allowed ('/nomad/')

, update the Service-Worker-Allowed HTTP header to allow the scope. For more information on the Service-Worker-Allowed header, see Hosting static files in the Nomad administration documentation.

Note: This will also prevent the configuration from continuing.

User is prompted for Notes ID password

This can be caused by several configuration errors. To identify the problem, authenticate as the user and enter the url <hostname>/nomad/userConfig.json and look at the resulting text in the browser.

If the “deployNSF” part is missing:
- Check the SafeLinx configuration to make sure it is configured for SAML. For more information, see Configuring SAML in the SafeLinx documentation.
- Check that deploy.nsf is copied to the server. For more information, see Exporting Notes certificates to a deploy.nsf file.
Check the policy settings on the Domino server, as described in Enabling Nomad federated login. If the policy is not enabled, the browser console displays the following message:
```
Server domino/EXAMPLE reported the following problem causing authentication to fail: 
You are not authorized to perform this function on this server 
```

Client fails to download the deploy.nsf database from the Nomad (SafeLinx) server

If the browser client fails to download the deploy.nsf database, messages such as the following ones are shown in the browser console logs:

5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] HTTP_Service::processNewSession() adjusted URI = '/deploy.nsf'
5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] LTPA_KeyHandler::decodeRSAKey: (return), rc=0
5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] start= 'u:user\:defaultRealm/CN=<username>,O=<org>%1643059074000%'
5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] nomad-web-proxy0::processLtpaSessionKey: (entry)
5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] nomad-web-proxy0::processLtpaSessionKey - cookie's LtpaToken expires in 598 minutes
5980: 2892 (Jan 24 2022/12:18:23.9180)[HTTPAS]nomad-web-proxy0::processLtpaSessionKey: auth by LtpaToken cookie 
5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] AUTH_Server::mdmAuthenticate: (entry)
5980: 2892 (Jan 24 2022/12:18:23.9180)[LOG] HTTP_APPL: assigning traffic to Nomad application handler [<user_mail_address>]
5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] getServerURL(): '/deploy.nsf'
5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] getServerMapping() returns NULL
5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] setupProxyConnection: appending / and trying again
5980: 2892 (Jan 24 2022/12:18:23.9180)[WARN] setupProxyConnection: failed to assign app server for URI '/deploy.nsf/', APP_ServerMgr::assignServer(): Failed to find matching server (errno=0)
file - line: APP_ServerMgr.C - 876
5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] setup connection, elapsed time: 0ms
5980: 2892 (Jan 24 2022/12:18:23.9180)[WARN] nomad-web-proxy0: failed to setup back end connection, elapsed time: 0ms [<user_mail_address>]
5980: 2892 (Jan 24 2022/12:18:23.9180)[DEBUG] ConnectionFailed: URL NULL
5980: 2892 (Jan 24 2022/12:18:23.9180)[HTTPAS]httpServerResponse: HTML pkt size: 490
HTTP/1.1 404 Not Found

To correct the problem:

Verify that deploy.nsf has been copied to the Nomad server.
Windows only If deploy.nsf is in the default location, <SafeLinx_install\saml, move it outside of the install directory and use the chwg command to indicate its new location.

For more information, see Exporting Notes certificates to a deploy.nsf file