This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Lorraine Cisfooplop
Jun 2, 2014, 3:08 PM
8 Posts

SAML + Notes client problem

  • Category: Security
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags: SAML notes client federated login
  • Replies: 4

I have two customers experiencing the exact same issue with implementing SAML/NFL on the workstation. I have a PMR open on this too but I'm wondering if anyone else is seeing this.

SAML is working great on the web in IE and Firefox.

On the Notes client when the user logs in they get the prompt that their ID is going to be downloaded for SAML so clearly the policy is working. Then they get the second prompt to say it was successful. Once they get that prompt, if they then look at their security settings on the client it appears to be perfect. It says that they are set up for single sign on using SAML.

The problem comes up when they shut down and restart the client. When the client restarts it appears to be looking for an ID file that doesn't exist. Something like XY7532K4.id.

That file is nowhere to be found as one would expect. If the user finds their original ID file, selects it and enters the password they get into Notes and within a minute or so they are prompted again that SAML is being set up on their workstation. If they restart they have the same experience.

I'm pretty confident in my configuration since I have this working successfully in other environments.

Rob

~Gus Lopgeroetsi
Jun 3, 2014, 3:06 PM
1 Posts
Would you please double check Notes certificate in the security settings?
Hello,

Thanks for reporting the issue. Still we would like to suggest you to double check your security setting, and make sure all the Notes certifiers are included. If your organization has multiple level of certifier, make sure you have include all of them. We suggest so because we have met such scenario before and the behavior sounds the same. Another thing to check is the network, since SAML authentication requires network to carry on. But usually you should see an error message before the Notes login dialog shows up. Please do take a look and let us know the result.

Thanks,
Kai Song
~Lorraine Cisfooplop
Jun 4, 2014, 5:48 PM
8 Posts
Wow! Fixed at one of the environments!

At one of the two shops that was experiencing this issue that was the issue! We had all of the X-Certs and Internet Certs on the workstation but the root of the Notes cert document was missing. Once it was replaced we were in business. I have a suspicion at the other shop but I won't be able to test it until later. The cert is definitely there but I think maybe there is something up with it.

 

Thanks!!!!!

Rob

~Autumn Quethipiskioden
Jul 21, 2015, 11:32 AM
18 Posts
I've seen this behaviour caused by a NFL-incompatible version of Panagenda MarvelClient
check Panagenda support to get a MC version that supports NFL.
or check any other 3rd party tool by disabling it temporarily.
~Keiko Umfanamarings
Dec 29, 2015, 8:09 AM
1 Posts
SAML working for most...but not all users

Hi Rob

Wondered if you'd got an update to this problem....I'm experiencing exactly the same thing.  Most of our users have been able to login using SAML authentication since upgrading to Notes 9.  But a few (consistently) can't.  They login, get the prompt that the ID file is being downloaded etc and then next time they login, they have to select their ID file.

 

What's particularly odd is that we are running Citrix installs of Notes, and in theory every user should running in the same environment.  Why it's working for some but not others is a mystery at the moment.  Tried re-creating a user, same result for that user.   We have the root certifier in our policy as well as the cross-certified ADFS cert.  It must be correct because, like I say, most users are functioning correctly.   If you could update with anything else you found I'd be very grateful.  Thanks.


This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal