Domino/Notes Version: 14.5.1
Add-on Product (if appropriate, e.g. Verse / Traveler / Nomad / Domino REST API):
Its Version: Verse
Operating System: Linux
Client (Notes, Nomad Web, Nomad Mobile, Android/iOS, browser version): Browser
Problem/Query:
I currently use Domino webmail (Verse) with classic Name & Password authentication behind Nginx as a reverse-proxy. Nginx handles the HTTPS termination, and forwards traffic to the back-end Domino server over HTTP. This works fine.
However, I also use Keycloak as an SSO provider, and I would like to use that for authentication using OIDC. This where the rabbit hole started…
I read this presentation: https://hclsoftwareu.hcltechsw.com/images/Lc4sMQCcN5uxXmL13gSlsxClNTU3Mjc3NTc4MTc2/events/images/Webinar_Uploads/Domino_OIDC_SSO/Configuring_OIDC-based_SSO_for_web_users_and_troubleshooting_10_Apr_2025_v1.pdf.
It mentions Domino supports 2 OIDC methods for authentication: Web login and bearer token. Since this is just webmail, I think web login is what I need.
However, a little but further in that presentation, it says “bearer token” should be enabled in the Internet Site document, even when using the Web Login flow.
Here a problem shows up, this option is not available for the regular HTTP(TCP) authentication. Since Nginx does the HTTPS termination and forwards traffic to the HTTP port of Domino (not the HTTPS port).
I wonder if there are any people here who run a similar setup, and how they tackled this. I’d rather not have HTTPS on the Domino server itself (Domino has a history of making HTTPS more difficult than it has to be due to it’s KYR format for storing keys, instead of using PEM with 99.9% of the industry uses).
I’m open to using SAML as well if that makes it easier (and I can avoid setting up HTTPS on Domino).
But like I said, I would like some feedback from someone who has real-life experience with this…