Home
What's new in Domino 14?
Learn about all of the new features for administrators in HCL Domino® 14.
What's New in 14.0?
HCL Domino 14.0 introduces the following new features and enhancements.
Enhancements related to security features
HCL Domino 14.0 provides the following enhancements related to security features.
Web user login with OIDC enhancements
HCL Domino 14.0 provides the following web user login with OIDC enhancements.

What's new in Domino 14?
Learn about all of the new features for administrators in HCL Domino® 14.
- What's new in 14.0 Fixpack 1?
- What's New in 14.0?
  HCL Domino 14.0 introduces the following new features and enhancements.
  - Enhancements related to security features
    HCL Domino 14.0 provides the following enhancements related to security features.
    - Updated default TLS ciphers
      Domino 14 has updated the default TLS ciphers to include only ciphers with PFS, AEAD, and SHA-2 according to current security best practices.
    - Security policy for ID file encryption
      In Domino 14.0, you can set a policy to upgrade the algorithm used to encrypt the ID file to AES-128 with SHA-256, or AES-256 with SHA-512, when changing the password.
    - Global OpenID Connect (OIDC) enhancements
      In Domino 14.0, the per-process JWK Cache and JWKCacheMgrThread from 12.0.2 have been combined into a global, cross-process OIDC provider cache.
    - Web user login with OIDC enhancements
      HCL Domino 14.0 provides the following web user login with OIDC enhancements.
    - HTTP Bearer authentication replacements
      HCL Domino 14.0 provides the following HTTP Bearer authentication replacements.
    - Enhanced OpenID Connect 1.0 (OIDC) provider support
      Domino 14.0 improves our support for Microsoft's less-than-standard OIDC providers.
    - SHA256 support for Internet password in Domino directory
      With Domino 14.0, users' password hashes will now be updated to SHA256 when they change their Internet passwords in the Person Document.
    - New Passkey authentication
      HCL Domino 14.0 introduces authentication with passkey via the WebAuthn/FIDO2 protocol.
    - Third-party access token validation
      There is a new API that is exposed in the SDK for 14.0. This would be usable from any server process, and would leverage the trusted OIDC providers configured in idpcat.nsf to validate access tokens.
    - Document and email encryption capabilities
      HCL Domino 14.0 provides the following person document/email encryption capabilities.
    - Cluster-safe, sprayable, single-server session cookies (DomAuthSessId)
      When enabled by setting the new notes.ini DominoSessionCookieUniqueNames=1 the name of the DomAuthSessId cookie becomes DomAuthSessIdABCDEFGHIJK, where ABCDEFGHIJK is the first 11 characters of Base64url [SHA256 (Domino server DN)]. This causes multiple Domino servers that are all serving the same internet site to choose unique cookie names instead of overwriting each other's cookies.
    - New version of OpenSSL
      HCL Domino provides a new OpenSSL version.
    - ID file login prevention
      Notes 14.0 provides the following enhancement for Notes Federated Login.
  - New AdminCentral app
    The AdminCentral application (admincentral.nsf) is automatically created by adminP on the Domino administration server. You can open AdminCentral directly from your Notes Standard or Nomad web client, without the need to start Domino Administrator.
  - AutoUpdate for software download and distribution
    This new feature notifies you of the latest Domino and Domino product family available on the Domino server. You can use AutoUpdate to download selected software from the My HCLSoftware portal and have it distributed to groups or selected Domino servers.
  - One-touch setup enhancements
    HCL Domino 14.0 includes Domino one-touch setup enhancements.
  - Domino installation inclusions
    Domino installation now includes HCL Verse, HCL Nomad server on Domino, and OnTime Group Calendar.
  - Windows installer updates
    Domino install no longer supports the notes.ini in the executable directory on Windows.
  - Auto-notifications for the latest product versions
    This opt-in feature makes administrators aware of the latest version available for Domino and Domino companion products.
  - Upgrade to HCL Notes 64-bit using AutoUpdate
    Starting with Domino 14.0, only 64-bit Notes clients are supported. Users upgrading servers from Domino 12.0.2 (or earlier) to 14.0 with a 32-bit client will need to upgrade to the 64-bit version. If a user is already running a 64-bit client, administrators can set up Auto Update (AUT) to support the upgrade anyway.
  - External email notifications
    Administrators can now have text added to the top of all incoming email sent by users outside your domains. This message might be used to remind your users to use caution and avoid clicking links or opening file attachments in messages that haven't originated from within your environment.
  - Enabled policy for delayed mail delivery
    In Notes mail, the Send Later button is easy for users to discover, and the Domino policy that allows Notes users to see that option is now enabled by default.
  - Disable LotusScript Debugger in HCL Notes
    You can set a desktop policy to disable the LotusScript Debugger in your Notes client.
  - Files tab supports database encryption
    Previously, an administrator could only change the encryption status of a single database. Now, by using the Files panel of the Administration client, an admin can select multiple databases and change their encryption settings. An admin can also see the current encryption state and strength for all databases.
  - DAOS repair in a Domino cluster
    With the DAOSmgr Repair Tell command, Domino administrators can scan the DAOS catalog for objects marked as missing during DAOS resynchronization and attempt to repair them from the server's cluster mates.
  - Domino Restyle enhancements
    Domino Restyle updates an application's UI elements with a color-coordinated, cleaner look and feel. The following enhancements are supported by Notes 14.
  - Other updates
    Domino 14.0 also includes the following updates.
- Components no longer included in this release
  The following components are no longer included in Domino 14.

Web user login with OIDC enhancements

HCL Domino 14.0 provides the following web user login with OIDC enhancements.

Enabling redirect: Configuring the Internet Site for Web Login with OIDC redirects unauthenticated users to an OIDC Provider (OP) for authentication. This redirect will not occur if the Internet Site's idpcat.nsf entry does not contain a configured client_id or the OP does not publish the endpoints needed for the OIDC Authorization Code flow with PKCE. This means that an Internet Site configured for just HTTP bearerAuth can exist on the same Domino server as a site configured for Web Login with OIDC, and the former site will not redirect unauthenticated clients to the OP (likely generating a username/password or passkey login form instead) but the latter will. (By default, the OIDC_LOGIN_ENABLE_REDIRECT notes.ini has a value of 1. If you wish to disable this redirect globally across your entire server, you can set OIDC_LOGIN_ENABLE_REDIRECT=0 in your server's notes.ini.); Note that clients sending an Authorization: Bearer header or setting xhr=1 will never be redirected to an OP for authentication, and should not receive an HTTP login form.

Authentication: In Domino 14, the authentication technique used to connect to the OIDC provider's token endpoint can be configured by using a drop-down menu in idpcat.nsf. The default setting is client_secret_basic. Select "none" for public clients that lack a secret.; private_key_jwt authentication is also now supported. Copy a private signing key in PEM or JWK format into the "client secret" field of the OIDC Provider document and set the authorization type field to "private key jwt". The corresponding public JWK will be published in jwks_uri format at /auth/protocol/oidc/keys so dynamic key updates can be supported.

Configuration

In Domino 14, the client_id and client_secret are now configured by using fields in idpcat.nsf instead of the OIDC_LOGIN_CLIENT_ID and OIDC_LOGIN_CLIENT_SECRET notes.ini variables. Those notes.inis have been removed.

The OIDC_LOGIN_CLOCK_SKEW_SEC, OIDC_LOGIN_COOKIE_DURATION_SEC, and DEBUG_OIDCLogin notes.ini variables still exist and work as they did in 12.0.2.

Back-channel logout: OIDC back-channel logout is now supported. Back-channel logout requests are accepted on the Domino server's callback URL -- either /names.nsf?OIDCLogin or /auth/protocol/oidc.