IBM Domino Administrator 9.0.1 Social Edition Help

SECURING

Using a security settings policy to apply a Notes federated login configuration to client users
After SAML-based federated login is configured on your Domino® server and identify provider (IdP), you can assign its use to Notes® client users through the security policy.

Before you begin

For this task, you will use the security policy already deployed earlier in a previous task of this sequence for users of your ID vault.

Before you can apply the policy to support federated login, you also need to export a copy of the Internet SSL certificate from your federation (ADFS or TFIM 2.0), import that certifier into your Domino Directory, and cross-certify. For the procedure, see the related topic on creating an Internet cross-certificate.

In any security policies that are applied to Notes users whom you plan to include in Notes federated login, disable synchronizing the Notes client password with the Internet password.

Procedure

1. In the Domino Directory, open the existing Security Settings policy for users of your organization’s ID vault.

2. On the ID Vault tab, make sure there is an assigned vault.

3. Select the Password Management -> Federated Login tab.

4. Select Yes for Enable Notes federated login with SAML IdP.

5. For client users who have upgraded to 9.0.1 Social Edition, when the policy is initially being deployed, under Additional settings for Federated Login (Notes or Web), select Yes for Allow password authentication with the ID vault.

Tip:

After a user has been verified to be working with federated login, it is a recommended security improvement to change

Allow password authentication with the ID vault

to No. When password authentication with the ID vault is not allowed, the user is required to authenticate to the vault using federated login in order to download the user's id for either Notes or Web use. Because this policy setting controls both Notes and Web behavior with the ID vault, change the setting to No only if federated login should be used exclusively.

6. Optional: Create custom messages for users to notify them when federated login is either enabled or disabled.

7. Select the Keys and Certificates tab.

8. To add the Notes certifier to the policy, click Update Links.

9. Choose Selected supported and click OK.

10. Click the Notes Certifiers tab, select the certificate, and click OK.

11. Click the Internet Cross Certificates tab, select the SSL certificate exported from either ADFS or TFIM 2.0, and click OK.

12. Optional: Enter a formula under Machine specific formula to apply the policy to specific computers for clients who have multiple computers.

13. Save and close the security policy.

Results

For any Notes user to whom the policy applies, the settings for Notes federated login will be activated on the user's next login.

Parent topic: Supporting federated login on the Notes client
Previous topic: Configuring the ID vault for Notes federated login
Next topic: Using Notes federated login in combination with Notes Shared Login to support offline users (Windows only)

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Feedback on Help or Usability?

Help on Help

All Help Contents