Hello,
I installed a Domino AppDev Pack architecture and configured IAM so that users are redirected to the IAM service to authenticate when they access the NodeJS application. The reference directory is the Domino directory
It was complicated but I finally succeeded and everything is working perfectly.
I also noticed that the applications declared in IAM share the same SSO so that they can switch from one to the other without having to authenticate again.
But I have not found anything that allows SSO between IAM and Domino authentication (LTP Token), example: a person authenticates in web access on Domino to access his mailbox then browses on a NodeJS application declared in IAM (same domain). Is there any way to prevent her from re-authenticating in IAM ?
Thank you very much for your help !
Do you have configured same IAM Server for authentication with Domino Web server ?
If yes it will share authentication
Thank you Mathias for your reply.
it is not IAM that authenticates acces to Domino Web server but a classic web sso configuration
This means that this must be changed so that IAM authenticates access to the Domino web server ?
How should IAM know that you are still authenticated at Domino internal ? LTPA Token is normally not shared with IAM.
If you configure same IAM at both parts then Domino Web Server will also redirect to IAM, and if it is first call do the authentication, if it is a following call it will use the existing authentication.
IAM is providing OIDC as a authentication service. This service is a form of SSO.
IAM does not support LTPA tokens.
We have items in our AHA list that request the integration of IAM with SAML or another OIDC provider like Azure. In this case, if both IAM and Domino were configured with a common IDP, they would share an SSO environment.
Domino does not currently support OIDC as an authentication mechanism. I do not know if there is an AHA item for this off of the top of my head, but in either case if you were to create one or vote it up it would help us make better decisions for what our userbase wants to see as future features.
I understand, thank you very much. But changing the existing Domino web authentication mechanisms in a complex production environment to integrate NodeJS application ... very delicate choice ...
I agree and would like to see this improved in the future.
There is a way to do this - please drop me an email at heiko.voigt at harbour-light.com
