AzureAD SSO with IBM Domino

Microsoft and IBM technology won't mix. Right?

I recently had a client who wanted to use Azure Active Directory for Single Sign On with an IBM Domino web application (which was hosted elsewhere) - and after some initial confusion it works like a charm!

Let me quickly walk you through the concept - and then get down to the nitty gritty details of configuring it for those of you who are in the same bind.

IBM Domino and Active Directory... Normally, we'd use ADFS to link those two. But in this case there WAS no on premises Active Directory to talk to. All identities were migrated to Office 365 (and therefore AzureAD). What to do? Basically the same as before: Use SAML. Simply replace ADFS by AzureAD.

Or at least, that's the idea. While this DOES work, the word "simply" was key here: it took quite some figuring out. To save you this trouble, here are our (high level) findings: 

  • The "Sign On URL (optional)" field in AzureAD should be left empty
  • The "Reply URL" (also called "Assertion Consumer Service", or ACS) has to be https://<domainname>/names.nsf?SAMLLogin (not the application’s path - but "names.nsf" followed by "?SAMLLogin")
  • When importing the FederationMetadata.xml into IBM Domino, the "encryption certificate" stays empty. This is not an error.
  • The script importing the XML file replaces the last part of the "Single Sign On URL" with "IdpInitiatedSignOn.aspx". This needs to be undone manually to read "/saml2" again

Okay, ready for giving this a roll? Then read on!

Read more: AzureAD SSO with IBM Domino