This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Naomi Minhipitheroni
Nov 27, 2013, 9:54 AM
34 Posts

SAML and encrypted mail in iNotes

  • Category: iNotes
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator,Developer,End User
  • Tags: iNotes,SAML
  • Replies: 5

We have a working Web Fedrated login using MS ADFS 2.0 and Domino 9.01.

SSO Authentication is working fine except for encrypted mail in iNotes, then the user needs to enter the password for the Notes ID.

The Domino server console shows a messsage like:

GetSAMLNotesID(): username=CN=User/O=Notes NOT SAMLAuthenticationEnabled.

What should be configured to enable this?

~Tony Zekfootexikle
Dec 10, 2013, 12:55 AM
9 Posts
check the two partnerships configuration
Web federated login feature is not correctly configured.  There should not be a password prompt for the Notes id file...this means web federated login is not working.  

Most likely there is some issue with the web federated login partnerships.  Please check your partnerships configuration discussed in the 9.01 documentation.  You should have 2 partnerships at the IdP and in the idpcat.nsf.  The first partnership is for the iNotes server authenticating the user via SAML, and the second partnership is for the Notes id vault that authenticates the user via SAML before downloading the user's id file.

hope this helps,
Jane Marcus, IBM
~Naomi Minhipitheroni
Dec 10, 2013, 10:38 PM
34 Posts
Missing the ID vault partnership document

Thank you very much for your answer Jane Marcus.

I have only one partnership document in the Idp database, the one for the MS ADFS server, so one is missing.

The ID vault is located on the same Domino server the Idp configuration is located, and this server is also the iNotes server. 
I have searched the 9.01 Admin Help but could not find a good example to configure the Idp for the ID fault.
The authentication with the MS ADFS 2.0 server works (with some problems).
The Id vault document is changed to allow both Client and HTTP authentication.
Policy security setting is changed to allow SAML authentication.

Can you please point me to the correct documentation to set up this partnership document for the ID vault?  

~Naomi Minhipitheroni
Dec 10, 2013, 10:38 PM
34 Posts
Missing the ID vault partnership document

Thank you very much for your answer Jane Marcus.

I have only one partnership document in the Idp database, the one for the MS ADFS server, so one is missing.

The ID vault is located on the same Domino server the Idp configuration is located, and this server is also the iNotes server. 
I have searched the 9.01 Admin Help but could not find a good example to configure the Idp for the ID fault.
The authentication with the MS ADFS 2.0 server works (with some problems).
The Id vault document is changed to allow both Client and HTTP authentication.
Policy security setting is changed to allow SAML authentication.

Can you please point me to the correct documentation to set up this partnership document for the ID vault?  

~Naomi Minhipitheroni
Dec 18, 2013, 9:47 AM
34 Posts
Fail

Did a fresh setup for MS ADFS 2.0 and Domino 9.01 using the 9.01 documentation found here.

Same results. Logon works only the second time when the request is found in cache.

Notes ID password prompt keeps, on the server console the message user NOT SAMLAuthenticationEnabled is displayed.

The console shows the user is authenticated, name mapping is correct, ID vault is also found.

 

 

~Ned Umlutherettu
May 28, 2014, 11:46 PM
113 Posts
SAML openmic resource
heres an additional SAML resource you can review
http://www-01.ibm.com/support/docview.wss?uid=swg27041552

make sure you have a url for your vault,
a vault.hostname.com entry in your idpcat
and a corresponding relying parties trust for the vault.hostname.com  configured in your ADFS

I think of it as once you have the SAML login configured you kinda need to do the steps again for your vault to get your IDvault SAML ready to allow the inotes web federated login for secure mail operations in inotes

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal