Configuring OIDC-based SSO for web users

A Single Sign-On (SSO) option for browser clients is available using the Open ID Connect (OIDC) authorization code flow with PKCE.

Domino's OIDC login SSO functionality allows browser clients to access the Domino web server by authenticating with an OIDC provider. This form of SSO serves a similar role to basic SAML authentication for Web servers. In Domino 12.0.2 this functionality cannot be used to authenticate against the Notes ID vault to acquire an ID file, so does not serve as a replacement for Web Federated Login, Notes Federated Login, or Nomad Federated Login. After authenticating against a trusted OIDC provider, the user's web browser will receive a session cookie that is used to authenticate subsequent HTTP requests to that Domino server.

Procedure

  1. Configure HTTP bearer authentication for one or more Internet Sites as discussed in Enabling HTTP Bearer authentication.
    Note: Internet Sites must be enabled for HTTP Bearer authentication in order to support OIDC Login.
  2. Configure a trusted OIDC provider for one or more of those Internet Sites as shown in Configuring trusted OIDC providers
  3. Enable Session authentication from the Domino Web Engines tab of the Internet Site document.

    In environments where all web servers can be configured to support a single identity provider, security can be improved by using SAML IdP or an OIDC provider to authenticate end users to each server, and using single-server session cookies on each of those back end servers instead of using a multi-server SSO cookie such as an LTPA Token. OIDC SSO and SAML SSO are mutually exclusive.

  4. Configure a new OIDC/OAuth 2.0 client for this internet site in your OIDC provider. We recommend configuring Domino as a "confidential client," only enabling the authorization code flow and requiring PKCE with S256. The redirect URI for a Domino server listening on myserver.example.com will be in the form of https://myserver.example.com/names.nsf?OIDCLogin. Note that OIDC login can be enabled on multiple internet sites by selecting all of those internet sites in the OIDC Provider document in idpcat.nsf and configuring redirect URIs for each of those host names in your OIDC provider.

    For an example of a KeyCloak configuration, see Sample KeyCloak configuration as an OIDC provider for Domino.

    1. Set the client_id configured at the OIDC provider in the OIDC_LOGIN_CLIENT_ID notes.ini.
    2. Set the client_secret configured at the OIDC provider in the OIDC_LOGIN_CLIENT_SECRET notes.ini.
      Note: Only one OIDC provider and associated client_id and client_secret can be configured for OIDC login for a given Domino server.
  6. Set OIDC_LOGIN_ENABLE_REDIRECT=1 to enable redirection of unauthenticated users from endpoints on the Domino server to the /names.nsf?OIDCLogin endpoint and back again to their original target URI after authentication.

Other configuration settings

By default, the cookies used to maintain OIDC authentication state have a lifetime of 2 minutes. This default can be changed by setting the OIDC_LOGIN_COOKIE_DURATION_SEC notes.ini to a value between 30 and 900 seconds to force end users to authenticate with their OIDC provider more quickly or to give them more time.

By default, up to 15 seconds of clock skew between the Domino server and OIDC providers is tolerated. This default can be changed by setting the OIDC_LOGIN_CLOCK_SKEW_SEC notes.ini to a value between 0 and 600 seconds.

In addition to the notes.ini variables discussed in the HTTP Bearer authentication documentation, two notes.ini variables can be used to enable additional tracing on the server console:

  • DEBUG_OIDCLogin=(0,1,2,3,4)
  • DEBUG_OIDC_LOGIN_REDIRECT=(0,1)

Limitations, known issues, and notes

  • Per current security best practices, only the Authorization Code Flow with PKCE can be used for OIDC Login SSO.
  • Domino will always request "scope=openid email"
  • PKCE S256 and nonce will always be used and cannot be disabled.
  • The id_token received must conform to the requirements set forth in OIDC.Core with the exception that Domino will fail over to check for the "upn" Claim if no "email" Claim is found.
  • Web proxies spraying requests across multiple Domino servers should be configured with session affinity to ensure that a single OIDC login attempt is not sprayed across two Domino servers.
  • "client_secret_basic" and "none" are the only client authentication methods supported.
  • client_id and client_secret are configured via notes.ini for the entire Domino server, so only one OIDC provider may be used for OIDC Login on a single Domino server.
  • OIDC Login statistics may be combined with HTTP bearer authentication stats.
  • OIDC Login is only supported on Windows and Linux servers.