Enabling Notes federated login

Enable Notes federated login to allow Notes clients users to start Notes and perform secure operations without being prompted for a Notes ID password.

Before you begin

Complete the following prerequisites:

About this task

Prior to v14, Notes reverted to asking for a user's ID file credentials if the login dialog requesting NFL credentials was canceled. Starting with 14.0, to prevent ID file logins, you can set the following notes.ini to make NFL login mandatory:


Note: This setting isn't enabled by default.


  1. In the Domino® Directory, open the existing Security Settings policy for users of your organization’s ID vault.
  2. On the ID Vault tab, make sure there is an assigned vault.
  3. Select the Password Management > Federated Login tab.
  4. Select Yes for Enable Notes federated login with SAML IdP.
  5. When the policy is initially being deployed, under Additional settings for Federated Login (Notes or Web), select Yes for Allow password authentication with the ID vault.
    Tip: After a user has been verified to be working with federated login, it is a recommended security improvement to change Allow password authentication with the ID vault to No. When password authentication with the ID vault is not allowed, the user is required to authenticate to the vault using federated login in order to download the user's id for either Notes or Web use. Because this policy setting controls both Notes and Web behavior with the ID vault, change the setting to No only if federated login should be used exclusively.
  6. Optional: Create custom messages for users to notify them when federated login is either enabled or disabled.
  7. Select the Keys and Certificates tab.
  8. To add the Notes® certifier to the policy, in the Administrative Trust Defaults section, click Update Links.
  9. Choose Selected supported and click OK.
  10. Click the Notes Certifiers tab, select the certificates which signed the IDs of the Notes users, and click OK.
    Note: If the IDs are signed by an Organization Unit (OU) certificate, include all certificates in the hierarchy, including the Organizational certificate.
  11. Click the Internet Cross Certificates tab, select the cross certificate from the Notes root certifier to the certificate exported from ADFS and click OK.
  12. Click the Internet Certificates tab, select the TLS certificate exported from ADFS and click OK.
  13. Verify that a chain of at least three certificates is shown (more if there are organization unit certificates): the Notes certifier at the top, the internet cross certificate in the middle, and the internet certificate at the bottom.
    For example:
    An an example of a chain of three certificates.
  14. Optional: Enter a formula under Machine specific formula to apply the policy to specific computers for clients who have multiple computers.
  15. Save and close the security policy.
  16. From the Domino® Administrator, open the ID vault application (idvault.nsf), which by default is stored in the IBM_ID_VAULT directory. Complete the following steps:
    1. From the Configuration view, open the vault document for the vault that will be configured for SAML authentication.
    2. In the field Notes federated login approved IdP configurations, enter the host name from the Host names or addresses mapped to this site field of the ID vault server IdP configuration document, for example vault.domino1.us.renovations.com.
    3. Click Save & Close.

What to do next

Testing Notes federated login