Mobile client support for SAML authentication

HCL Verse mobile clients now support federated-identity authentication using Security Assertion Markup Language (SAML). This allows mobile users to authenticate to a customer’s identity provider prior to accessing the HCL Traveler services.

Support requirements

  • HCL Verse for iOS and Android 12.0.0 and later clients.
  • Domino 11.0.1 and higher configured for SAML authentication for Web servers.
  • AuthnRequest SAML 2.0 compatible Identity Provider configured for form authentication.
  • Identity Provider must return the email address for the NameID attribute, and it must match the user's Internet Mail address in the user's person document. Alternatively, if using Active Directory Federated Services, you may configure Domino Directory Name Mapping (ADFS only) using an attribute such as altSecurityIdentites.
  • 3rd party signed SSL certificates for the Traveler and IDP endpoints.
  • Service Provider (SP) Initiated login only. This requires the mobile client to be redirected to the Identity Provider (IDP) login when accessing the Traveler service. If using a proxy to access the Traveler server(s), this proxy must be able to handle URL rewriting.

Limitations

  • The HCL Companion or To Do applications for iOS do not support SAML Authentication.
  • SAML Authentication is not supported by clients that use the Microsoft Exchange ActiveSync protocol, including the Apple iOS Mail client. For more information on how the server can be configured to allow Basic authentication for clients using the Exchange ActiveSync protocol, see Configuring the HCL Traveler server for SAML authentication.
  • The HCL Verse mobile clients cannot leverage Web Federated Login. This means that users, when working with encrypted mail, still have to provide their Notes ID password when prompted. If enabled for use by other web-based applications (ex: HCL Verse), please ensure that the vault still allows password authentication.
  • For HCL Verse Android, application passwords are not supported when configured for SAML authentication. A Traveler server setting or policy setting requiring application passwords will be ignored.
  • This SAML configuration is not compatible with using HCL Safelinx as a proxy to the Traveler servers.
  • HCL Verse mobile applications cannot support Windows NT LAN Manager (NTLM) authentication if Windows Integrated Authentication (WIA) is enabled in ADFS. Ensure that a Forms-based login is configured and enabled as a fall back for clients that do not support WIA.