This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Naomi Minhipitheroni
Nov 6, 2013, 3:58 PM
34 Posts

Domino SAML Authentication with ADFS 2

  • Category: Security
  • Platform: Windows
  • Release: 9.0
  • Role: Administrator
  • Tags:
  • Replies: 3

I'm trying to set up single sign on for INotes users using SAML authentication.

Using the Administrator Help and the cookbook found on the Wiki I have installed ADFS 2.0 on a Windows 2008R2 server.

Domino 9.0 is running on a Windows2008R2 server in the same domain.

The ADFS login page is working on the ADFS server, but when Domino redirects to the ADFS server a IIS error page is shown telling the service is unavailble.

The Event log for ADFS shows:

Log Name: AD FS 2.0/Admin

Event ID: 303

The Federation Service encountered an error while processing the SAML authentication request.

Details:

System.ArgumentOutOfRangeException()

 

The Domino log shows:

ProduceSaml2ADFSReply:https://adfsserverblabla....

HTTP Web Server: Bad SAML Request [names.nsf/SAMLLogin] Anonymous

SAML error: Artifact is NULL.

It looks like there is a parameter missing in the request.

Any suggestions?

~Tony Zekfootexikle
Nov 15, 2013, 12:18 AM
9 Posts
technotes might help you, and suggest upgrade to 9.01
It seems there is a problem with your partnership.  

The 9.01 release contains fixes for some problems in this area.  I advise you to upgrade to 9.01.

If needing to use 9.0, please consult technotes that provide workarounds for issues in 9.0, for example technote 1628872 Errors configuring Domino SAML partnership with ADFS 2.0 Identity Provider.  

Whether or not you can upgrade to 9.01, please follow SAML deployment instructions posted with 9.01, as they are far better than instructions posted with 9.0.

hope this helps!
Jane Marcus, IBM
~Naomi Minhipitheroni
Nov 15, 2013, 10:30 AM
34 Posts
Upgrade to 901

Thank you for the answer!

I will post the results soon.

~Naomi Minhipitheroni
Nov 20, 2013, 1:17 PM
34 Posts
Upgrade to 901 did the trick

After upgrading to R901 removed the configuration and re-created it. Single Sign On works fine now!

The only "problem" to solve is the first time a user authenticates to the iNotes site it takes a very long time to authenticate. The domino console (debug) shows the SAML request is returned and the user is authenticated, however the ADFS site shows "page not found". The second attempt to access the site however is quick and successful.
In Domino I have increased the input and output time-out for a HTTP request, same results after restarting the server.

Is there any other time-out setting in ADFS or Domino to adjust?


This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal