How to configure SAML SSO for HCL Nomad Web for Domino using Keycloak - Part 1

This is part one of my series on how to utilize Keycloak as the SAML IDP for HCL Nomad Web for Domino. While HCL describes the use of ADFS in the online documemtation, Keycloak can serve for this purpose with ease as well. Within this series I want to describe the components and configurations that are necessary to make the two work together.

There are several aspects to this combination that need a bit of understanding and preparation.

Be aware: the whole series is utilizing HCL Domino Version 12.0.2. HCL Nomad Web Server for Domino is working with HCL Domino 12.0.1 as well, please use the appropriate Templates etc. for this release if you want to go with the earlier version.

To make a seamless SSO implementation possible on HCL Nomad Web using SAML, we need to configure the SAML Web Login for the HCL Nomad Web Server as well as the federated login capability for the Notes Client (as Nomad is a Notes Client ported to Web Assembly - it acts like the classic Notes Client under the hood, so it needs the Notes Client SAML Config as well).

This brings us to all sorts of dark corners of the NAB, idpcat.nsf, IDVault and the joys of YAML syntax clusterfucks by underlying node components - so bare with me ;-).

Let's start with an overview of what we are going to implement in the next parts:

Part 2: SAML & Nomad Web

• Prepare the IDVault (set up one if you don't have one)
• Create the idpcat.nsf on your Domino Server or prepare your existing one for the latest release.
• Create the keycloak client definitions and export the descriptor.xml from the Keycloak Realm
• Create the IDP Document for HCL Nomad and import the descriptor.xml from Keycloak
• Create the nomad-config.yml file with the respective endpoints for keycloak
• Maze-runner - tie all loose ends together on the Domino side
• Add SAML URLs to the Keycloak client
• First dry run - hussa, it works !

Part 3: Nomad SSO using Notes Federated Login

• Set up Notes Federated Login for SAML
• <more to come here, still fiddeling around>
• Round trip testing
• Logout from Nomad and Keycloak Logout settings
• Now, let's add an NGINX Reverse proxy to the game - what needs to change?

So that's the plan. Did I miss anything? Let me know. Will start to write it down now. See ya later!

Heiko.