IBM Support

Can Domino Automatically Import Users From Active Directory Into The Domino Directory For SAML Authentication

How To


Summary

A customer hosting a Domino SAML Single Sign On enabled web application wants to automatically add new users from a remote Active Directory domain belonging to another organisation as new persons in their Domino Directory.

Objective

A customer hosting a Domino SAML Single Sign On enabled web application wants to automatically add new users from a remote Active Directory domain of another organisation to the Domino Directory as new persons, so the users can be authenticated via SAML and access the application.

The web application is available to the users of the remote company and the Active Directory administrator in this organisation just wishes to add the new users to their domain, without providing the Domino administrator with the details of the users that would be required to create their person documents in the Domino Directory and add their name to the ACL of the application.

Currently it is not possible to have new users created in the Active Directory domain of another organisation automatically synced to your Domino Directory as a new user with a person document. An enhancement request for this functionality has been created under https://domino.ideas.aha.io/ideas/DOMINO-I-704

Currently the administrator of the remote Active Directory domain must provide the Domino administrator with the details of any new users in order for person documents to be created in the Domino Directory for these users and their name added to the application's ACL.

Alternatively the Domino administrator can use the Domino Web Server Log (Domlog.nsf) to determine what users belonging to the remote organisation have attempted to access their SAML enabled web application and failed to authenticate due to the fact that they do not have a person document in Domino and their name is not present in the application's ACL.

Environment

Domino 9.0.1 - 10.0.1 configured for SAML Single Sign On with the remote company's AD FS.

Directory Assistance configured between Domino and the remote Active Directory domain with Name Mapping enabled.

User Objects in the remote company's Active Directory domain created with the users Notes Distinguished Name set in the agreed attribute.

Steps

You must have Domino access the remote Active Directory domain through Directory Assistance with Name Mapping enabled as documented in the following help document.

https://www.ibm.com/support/knowledgecenter/SSKTMJ_10.0.1/admin/conf_usingnotesdistinguishednamesinaremoteldapdirector_t.html#conf_usingnotesdistinguishednamesinaremoteldapdirector_t

The administrator of the Active Directory must create a new User Object in Active Directory with the user's Notes Distinguished Name in the agreed attribute.

If this is not set up and the Active Directory administrator does not include their Notes Distinguished Name in their Active Directory User Object, only the user's Active Directory email address will be recorded in the Domino Web Server Log, when they attempt to access the Domino SAML Single Sign On application.

 
The Domino administrator must set up the Domino Web Server log (Domlog.nsf) as documented in the administration help. Please note that logging must use the domlog.nsf database for this process and logging should not be set up to use text files as the required information will not be captured in text files.
https://www.ibm.com/support/knowledgecenter/SSKTMJ_10.0.1/admin/admn_thedominowebserverlogdomlognsf_c.html

When a new user created in the remote Active Directory domain attempts to access the Domino SAML Single Sign On application in their browser without a person document in the Domino Directory and ACL application entry they will receive a 401 error and their name and the error will be recorded in the log.

Please note the details are from an internal HCL test system, the users and IP addresses are test data for demonstration purposes only.
Shown below is the domlog entry for a successful authentication for Graham Farrell as the user has a person document in the Domino Directory and in the ACL of the application, and a failed request for Harry King, who has a User Object in Active Directory with their Notes Distinguished Name, but no person document in the Domino Directory and entry in the ACL of the application.
The Domino administrator can now use this information to create a person document for Harry King in the Domino Directory and add the user's name to the ACL of the application to allow the user to be authenticated via SAML on next accessing the application.

401 error recorded in log

401 error detail


Document information

More support for: IBM Domino

Component: SAML

Software version: 9.0.1, 10.0.0, 10.0.1

Operating system(s): Linux, Windows

Reference #: 0879369

Modified date: 02 April 2019