Planning for user authentication
HCL Traveler requires every HTTP request to be authenticated for the operations being done to be correctly associated with the proper user. Hence, anonymous access is not supported. This validation of identity, referred to as authentication, is typically handled by the HCL Domino HTTP task or a secure proxy such as HCL SafeLinx. This section provides information on the supported authentication types by client to help plan for the Traveler server's authentication configuration.
Authentication options overview
The following are the authentication types that are supported by one or more clients supported by HCL Traveler.
| Client | Basic | Certificate-based (TLS) | Federated Identity (SAML) | Time-based One-Time Password (TOTP) |
|---|---|---|---|---|
| Apple iOS/iPadOS Mail Client | Yes | Yes | No | No |
| HCL Verse for Android | Yes | Yes | Yes | Yes |
| HCL Verse for iOS/iPadOS | Yes | Yes | Yes | Yes |
| HCL Companion for iOS/iPadOS | Yes | No | No | No |
| HCL To Do for iOS/iPadOS | Yes | No | No | No |
| HCL Traveler for Microsoft Outlook (HTMO) | Yes | Yes | No | No |
Basic authentication (Name-and-password authentication)
Basic authentication (also known as Name-and-password authentication) is supported by all Traveler clients. Clients are configured with the user’s internet address and password and these credentials are then used to authenticate the client application requests to the Traveler server. The user is only prompted for the password if there is an authentication failure (ex: expired password). This type of authentication is the default configuration for a Traveler server deployment. See Name-and-password authentication for Internet/intranet clients for more information.
Enabling session-based authentication (single or multi-server) is highly recommended for the Traveler endpoint as it increases security and improves performance. Session-based authentication reduces the number of times when the client must specify the user’s credentials in the request header. Additionally, session-based authentication improves performance by eliminating the need for every request to be re-authenticated. Session-based authentication, when enabled, will generate a form challenge that most Traveler clients do not handle, so additional configuration changes are needed to ensure a basic authentication challenge is returned to the clients. See HTTP Basic authentication for more information.
Certificate-based authentication
A more secure option than HTTP Basic authentication is the use of TLS client authentication. To access the Traveler server endpoint, the application will be asked to provide the client certificate to complete the TLS handshake and secure the connection. The administrator can decide whether only a certificate is required or a certificate plus the user’s internet ID and password are required; however, only the HCL Verse Android client supports the use of both certificates and internet ID and password.
See Configuring the server for Certificate Based Authentication with Android devices for more information on support and setup for client certificate authentication.
Federated identity (SAML) authentication
Federated identity authentication using Security Assertion Markup Language (SAML) allows users to authenticate to a customer’s identity provider prior to accessing the HCL Traveler services. The authentication token from the identity provider is all that is stored in the Traveler supported clients and passed in the request to the Traveler endpoint; the user’s credentials are never stored in the account information on the device, nor are the user’s credentials passed in the request to the Traveler endpoint. Whenever the authentication token expires, the user will be prompted to re-enter their credentials to the identity provider to obtain a new token.
See Mobile client support for SAML authentication for more information on mobile client support for SAML authentication.
Time-based One-Time Password (TOTP) authentication
HCL Domino 12.0.0 introduced the option to enhance the internet ID and password authentication with a Time-based One-Time Password (TOTP). The HCL Verse mobile clients support this type of authentication. Like SAML authentication, the user’s credentials are never stored in the account information on the device, nor are the user’s credentials passed in the request to the Traveler endpoint. Whenever the authentication token expires, the user will be prompted to re-enter their credentials and the TOTP code.
For more information on mobile support for TOTP authentication, see Mobile client support for TOTP authentication.