This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Lisa Elweli
Apr 28, 2013, 8:03 PM
69 Posts

SAML troubleshooting tips?

  • Category: Security
  • Platform: Windows
  • Release: 9.0
  • Role: Administrator
  • Tags: saml
  • Replies: 4

Is there any way to troubleshoot SAML? Despite the missing documentation, I managed to configure ADFS using the Cookbook provided for beta http://www-10.lotus.com/ldd/ndsebetaforum.nsf/topicThread.xsp?action=openDocument&documentId=9FF5568A9ECFFB1A85257AD3006DB084&ca=drs-fo

I also configured SAML in Domino according to the documentation.

Now when I am trying to login to my Domino server, I am being redirected to ADFS login. I log in there and ADFS redirects me back to https://mydomino/names.nsf?SAMLLogin

and I get Error 400 Bad SAML Login from Domino. And nothing more. Not very helpful indeed. Any tips on troubleshooting/configuration?

~Tony Zekfootexikle
Apr 29, 2013, 10:20 PM
9 Posts
server notes.ini
If possible, you can use a server notes.ini to shed light on your problem.  Usually setting the level at 31 is sufficient:

debug_saml=31

You should see SAML debug messages output to the server console.  

With debug turned on, a successful login would show messages for the Domino server receiving a SAML assertion and the assertion successfully verified.

hope this helps,
Jane Marcus, IBM
~Laura Deskiskioden
Feb 27, 2014, 2:01 PM
11 Posts
HTTP Web Server: You are forbidden to perform this operation

Jane, I'm hopping you can help with "HTTP Web Server: You are forbidden to perform this operation" when a SAML assertion is posted to names.nsf?SAMLLogin

SAML successfully redirects to the exernal SAML authentication provider and attempts to post the SAML assertion to DOMINO.

Any tips?

~Tony Zekfootexikle
Feb 27, 2014, 4:59 PM
9 Posts
check the IdP partnership configuration
If you get the "forbidden" message from the Domino web server, check the IdP partnership configuration.  In particular, make sure that the postback url is pointing to the correct Internet site on the Domino server.

The Domino web server should receive a POST method, and receiving some other method could also cause the forbidden message.  It can be helpful to enable http thread logging to see the request/response chains for further troubleshooting.  See here for further information on http thread logging:
http://www-01.ibm.com/support/docview.wss?uid=swg27010969#thread

best regards,
Jane Marcus, IBM
~Laura Deskiskioden
Mar 12, 2014, 9:52 AM
11 Posts
Thanks

Thank you it was a configuration issue.  We noted finally that the URLs in the IDP configuration ARE CASE SENSITIVE after enabling debug_saml=31 and observing where it fell over.


This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal