Hello,
I am attempting to connection our Domino web services to an Identity provider we are setting up.
I have managed to configure the domino server to use SAML I believe and when I try to access the web services on Domino it does redirect me to the SAML IDP we have set up which we can log into. On successful login into the IDP, I can see in the domino console we are receiving the SAML IDP assertional XML back (in it's default state that is). So on seeing this I believe the basic SAML/Domino initial hookup is correct at least.
Once you have logged into the IDP and are redirected to Domino web application I am then presented with Domino's "not authorised" page. Reading the link below, it indicated Domino uses an email address as a common attribute between domino user and IDP user rather than a "username". I think maybe the issue is I am not returning the email from the IDP to the Domino system in the XML return (at the moment the only attribute is "User-Name" as mentioned).
http://www-01.ibm.com/support/docview.wss?uid=swg21902373
As a quick test I added an IDP user with the username "bob@bob.com", created a domino user with the same entry for the username and the email address but this didn't work.
This leads me to think maybe the issue is I need to return the email address under a specific attribute name in the XML so Domino knows to use as the lookup to bridge the two accounts. However I don't know what attribute name to use.
Can anyone tell me what attribute name Domino expects the email from the IDP to be returned to them in?
If someone already has SAML/Domino working together, maybe someone would be kind enough to look at the XML Domino is received from the IDP and identify the email attribute name that way?
Of course if I have higely misunderstood something and we don't need to map an IDP SAML user to a Domino user, please let me know!
Hope all ths makes sense!
Thanks in advance to anyone who spends the time trying to help. Looking forward to your replies!