14 dec HCL Domino SSO with AzureAD
HCL Domino SSO with AzureAD
Proving that Domino can integrate with several other technologies is something we do on a regular basis, just to show the customers that Domino is an open platform.
For authentication, we did already several SSO configurations between Domino Directory and MS Active Directory by using ADFS and SAML authentication.
We now have a question from a customer that is using O365 heavily. They have Domino running with some applications that are integrated in Sharepoint and they use the HCAA Notes client for certain users that need to open the Domino databases in a client. 2 years ago we have set up an ADFS infrastructure with an ADFS Proxy for external access and configured SSO between Domino and Active Directory for web access and HCAA access so that users can log in in the applications with their Microsoft credentials.
The customer has a synchronization set up between Active Directory and Azure Active Directory and wants to migrate the Domino SSO from on-prem ADFS to Azure AD.
In the beginning, Domino supported only a certain set of Identity Providers, although we managed to set up SSO between Domino and other non-supported IDPs successfully.
Now Domino officially supports Azure Active Directory as an Identity Provider (IDP) so I thought we have no excuse to set up what the customer wants. Before setting this up at the customer, I’ve set up a test environment at GroupWave with an SSL protected site and of course I’m sharing the technical details with whomever is interested because that’s just what HCL Ambassadors do.
Azure Active Directory (AAD) settings
To be able to manage AAD you need to go the Azure Active Directory Admin center, https://aad.portal.azure.com.
Click on Enterprise applications and then on New Application to be able to register the Domino website as as an application
Create your own application
Fill in a name that you choose and select to register the application to integrate with AAD and click the create button
Once the application is created, you will be directed to the configuration page of the application.
Click on Set up single sign on and choose for SAML authentication.
You will have to fill in the URL of the application that you want to link, this is the URL of your Domino internet site. As an attribute you can go with the defaults, you need to be sure that user.mail is in there so that you use the internet mail address as a unique identifier between the two directories.
Download the federation Metadata XML file
Assign a test user or a group to your application so that they can authenticate
Go to your Domino Administrator client and create and IDP Catalog database on your server. Make sure you give it the name idpcat.nsf and select Show Advanced templates to be able to see the IdP Catalog template in the list.
In the IdP Catalog database, click on Add IdP Config and fill in the following fields
In the hostname field, fill in the name of the internet site and the IP Address that you use
In the Service Provider ID fill in the URL of the site In the IdP name field you may fill in a name as a reference for yourself, this field is just a comment.
Click on the button Import XML file and browse to the XML file you downloaded from your Enterprise Application.
This import will fill in the Single sign-on service URL Field and the fields on the Advanced tab of the configuration document.
Save the document with Ctrl-S to be able to go to the next step. On the certificate Management tab, click on the button Create SP Certificate.
You will be asked to fill in a Company name, you may fill in whatever you want
Double click in the IdP Configuration document and fill in the Domino URL, in this case HTTPS://calendar.groupwave.be
Click on the button Export SP XML and you will see the ServiceProvider.xml file getting attached to the document. Save and Close the document and go to your internet sites view to change the affected site.
In your internet site document, go to the tab Domino Web Engine and change the Session authentication type to SAML
When you click on the button Open IdP Configuration, you will be redirected to the correct IdP Configuration document that you created.
Save and close you Internet site document and restart the HTTP Task on your Domino Server.
Open up your browser and surf to the URL of your application. In this case it is https://calendar.groupwave.be You will see that you get redirected to Office 365 and if you were already logged in, than you will be redirected to Domino.