Configuring the HCL Traveler server for SAML authentication

SAML Authentication setup for the HCL Verse mobile clients follows the steps laid out in the Domino Administration guide for basic SAML authentication for Web servers.

Traveler server setup

The HCL Traveler server(s) should be configured prior to enabling SAML. This allows validation that HCL Traveler is functioning prior to changing the security for SAML authentication.

Domino Multi-server session-based authentication (Single Sign On) should be configured and working properly among the participating servers in the Traveler HA pool before enabling SAML.

Preparing for SAML authentication

Read the following notes, then complete the required steps in the HCL Domino Administration guide for preparing for SAML authentication:
  • The Identity Provider (IdP) Catalog needs to be replicated to any HCL Traveler server participating in the SAML federated authentication.
  • ID Vault setup is not required as part of enabling SAML support for the HCL Verse mobile clients. If ID Vault setup is needed for other web clients, make sure that the vault security policy setting document is enabled to Allow password authentication to the ID vault. This allows HCL Verse mobile clients to continue using password authentication to access the notes id file when working with encrypted mail.
  • Mobile clients cannot participate in Windows Integrated Authentication (WIA).
  • Traveler server testing - after making the changes in this section, validate that you can still access the Traveler endpoint.

Configuring basic SAML authentication for Web servers

Read the following notes, then complete the steps to enable basic SAML authentication for Web servers as outlined in the HCL Domino Administration guide:

Traveler-specific notes for basic SAML setup:

  • Creating a Web Server IdP configuration document :
    • For hostnames, enter the HCL Traveler server hostname(s) and IP addresses, as well as the external hostname and IP address (if it is different in your environment)..
    • For the Service provider ID, it is suggested to use the HCL Traveler external URL value (/traveler is not required). Example:
  • Enabling SAML authentication
    • For HCL Traveler, follow the steps associated with using an internet site document.
    • It is recommended to use a Web SSO configuration (required for an HA environment).
    • To enhance the HCL Verse mobile end user experience, it is recommended to extend the default of 2 hours for the SAML single server session expiration field. If using a WEB SSO configuration document, the token expiration time should be the same as the SAML single server session expiration field. For more information, see Authentication timeout settings.
    • To allow clients that use the Exchange ActiveSync protocol (like the iOS Mail app) to continue to use Basic authentication, edit the Override Session Authentication rule and set the Incoming URL pattern to "/traveler/Microsoft-Server-ActiveSync*". If you do not intend to support the activesync clients, remove the existing Override Session Authentication rules for Traveler. Additionally, turn off (set to false) the notes.ini NTS_AUTO_CONFIG. Otherwise, Traveler will attempt to re-add session override rules. Ensure that these changes to the names.nsf are replicated to all partipating Traveler servers and then restart Domino HTTP.
      Note: It is recommended that you keep any substitution rules.
  • Testing the basic SAML authentication for Traveler:
    • For testing the resulting setup, use a mobile device browser to access the HCL Traveler endpoint. You should see the form login from the identity provider instead of a basic authentication prompt. Login as a user using the user’s credentials from the identity provider (not the Domino http password) and verify the HCL Traveler server home page displays.
      Note: For ADFS, a desktop browser may give different results than a mobile browser if Windows Integrated Authentication is enabled.