We have a working Web Fedrated login using MS ADFS 2.0 and Domino 9.01.
SSO Authentication is working fine except for encrypted mail in iNotes, then the user needs to enter the password for the Notes ID.
The Domino server console shows a messsage like:
GetSAMLNotesID(): username=CN=User/O=Notes NOT SAMLAuthenticationEnabled.
What should be configured to enable this?
Subject: Missing the ID vault partnership document
Thank you very much for your answer Jane Marcus.
I have only one partnership document in the Idp database, the one for the MS ADFS server, so one is missing.
The ID vault is located on the same Domino server the Idp configuration is located, and this server is also the iNotes server.
I have searched the 9.01 Admin Help but could not find a good example to configure the Idp for the ID fault.
The authentication with the MS ADFS 2.0 server works (with some problems).
The Id vault document is changed to allow both Client and HTTP authentication.
Policy security setting is changed to allow SAML authentication.
Can you please point me to the correct documentation to set up this partnership document for the ID vault?
Subject: Fail
Did a fresh setup for MS ADFS 2.0 and Domino 9.01 using the 9.01 documentation found here.
Same results. Logon works only the second time when the request is found in cache.
Notes ID password prompt keeps, on the server console the message user NOT SAMLAuthenticationEnabled is displayed.
The console shows the user is authenticated, name mapping is correct, ID vault is also found.
Subject: SAML openmic resource
heres an additional SAML resource you can review
http://www-01.ibm.com/support/docview.wss?uid=swg27041552 http://www-01.ibm.com/support/docview.wss?uid=swg27041552
make sure you have a url for your vault,
a vault.hostname.com entry in your idpcat
and a corresponding relying parties trust for the vault.hostname.com configured in your ADFS
I think of it as once you have the SAML login configured you kinda need to do the steps again for your vault to get your IDvault SAML ready to allow the inotes web federated login for secure mail operations in inotes
Subject: check the two partnerships configuration
Web federated login feature is not correctly configured. There should not be a password prompt for the Notes id file…this means web federated login is not working.
Most likely there is some issue with the web federated login partnerships. Please check your partnerships configuration discussed in the 9.01 documentation. You should have 2 partnerships at the IdP and in the idpcat.nsf. The first partnership is for the iNotes server authenticating the user via SAML, and the second partnership is for the Notes id vault that authenticates the user via SAML before downloading the user’s id file.
hope this helps,
Jane Marcus, IBM
Subject: Missing the ID vault partnership document
Thank you very much for your answer Jane Marcus.
I have only one partnership document in the Idp database, the one for the MS ADFS server, so one is missing.
The ID vault is located on the same Domino server the Idp configuration is located, and this server is also the iNotes server.
I have searched the 9.01 Admin Help but could not find a good example to configure the Idp for the ID fault.
The authentication with the MS ADFS 2.0 server works (with some problems).
The Id vault document is changed to allow both Client and HTTP authentication.
Policy security setting is changed to allow SAML authentication.
Can you please point me to the correct documentation to set up this partnership document for the ID vault?