This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Rebecca Elagenader
May 28, 2015, 1:15 PM
5 Posts

SAML and Admin Users

  • Category: Domino Server
  • Platform: Linux
  • Release: 9.0.1
  • Role: Administrator
  • Tags: SAML
  • Replies: 3

Having set up a Domino HTTP server for SAML authentication through Active Directory, is there a clever trick for allowing Administrators to bypass the ADFS login, e.g. with a local login page on the Domino server or via another Domino server to fetch the session, or do Administrators need to be added to Active Directory using an account with a matching email address?

As far as I can work out, any web page needing authenticated access throws you at your IDP server, so I am starting to think the Admin IDs need to be in Active Directory, but for security reasons that doesn't feel right.

Any info thoughts or suggestions welcome!

~Dexter Deswechekynds
May 28, 2015, 2:14 PM
191 Posts
Re: SAML and Admin Users
Gary,

The only thing that comes to mind is to have an isolated server with replicas of the same applications and then have that server not configured for SAML authentication. Having said that, why would you not want the admins to be in Active Directory?
~Rebecca Elagenader
Jun 1, 2015, 3:16 PM
5 Posts
Re: SAML and Admin Users

All the end users are web only.  The Admins and Developers have separate Notes IDs just for Admin/Dev stuff, but they also need to log in with these over http to resolve user issues.  Active Directory is managed by a different section and a large Helpdesk team have access to change user passwords etc.  Since the Admin/Dev accounts have Manager access to everything, for security we would like to separate them out.

I had already floated the idea of a separated Admin server, but management in the development team said no!  Apparently they *need* to access each server.  Don't ask me to explain developers.

I was sort of expecting there to be a 'local login' URL to optionally bypass ADFS but apparently not.  My other thought was whether the LTPA Token document could be copied to another server so you could have a login server then switch.

~Olga Brekrochekobu
Jun 5, 2015, 12:09 PM
4 Posts
Re: SAMl and Admin Users
Hi

What you can do is to have a "Login Server" and use Web Server Single Sign-on (LTPA Token) to access the other servers under the same dns domain.

http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/conf_creatingawebssoconfigurationdocument_t.dita

Just add the the new login server in the participating Servers

It is like, accessing https://login.server.com for login and then just switch to your desired participating servers https://other.server.com

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal