Time matters with SAML

Keeping you servers time synked is important for server operations to keep running smoothly. And if you are using SAML it’s crucial because if your servers time drifts away you will get BAD SAML REQUEST and your users can’t login. To find out if this is the problem add DEBUG_SAML=31 (Set it to 0 to turn it off) in your notes ini and look for this entry.

SECCheckSAMLAssertion> NotBefore time check failed : Single Sign-On token has a creation time in the future. Single Sign-On servers may need to have clocks synchronized.

SECCheckAndParseSAMLResponse> Exiting : Single Sign-On token has a creation time in the future. Single Sign-On servers may need to have clocks synchronized.
SECCheckAndParseSAMLResponse failed with error: Single Sign-On token has a creation time in the future. Single Sign-On servers may need to have clocks synchronized.
Error in SAML response – Single Sign-On token has a creation time in the future. Single Sign-On servers may need to have clocks synchronized.

If this is found check the clock on the server and if you can turn on automatical timesynk.

For other SAML problems check out my SAML article Debugging SAML setups in HCL Domino

Certificate Information tool v4

SSL certificates, SAML certificates, Signing certificates the number is long of different kinds of certificates and you might need to check the name of a certificate, the start or end date or perhaps the thumbprint.

I use the tool mainly to get end dates of certificates sent to me from customers because I hate when they expire and need to be changed without any preparation. And the worst kind that most administrators often miss is the certificates that is auto created i.e. in ADFS servers, Azure Enterprise apps, Okta

With Certinfo it super simple to check a certificate CertInfo.exe -file <path to file> -enddate will print the end date and time on the console. Or you can do CertInfo.exe -cert <Base64 of cert> -subject and you will get the subject of the cert.

In version 2 I’ve also added -url as a parameter to get the certificate directly of the webserver.

Version 3 this version have a new parameter called -urlfile it takes an text file with webserver adresses or ip adresses separated with newline and will return the info from all of them.

Version 4 has a parameter to get the info saved in a csv format. also the property -urlinfo to print out the url send in to the command. also the parameter -urlfilestring this enabled you to add a semicolon after the url in a text file and print out this for each line, good when you do a csv printout.
And finally a fix is applied to prevent redirect this is to get the cert from the server that is requested even if it redirects the request.

Download and test CertInfo here

Folder icons created by cahiwak – Flaticon

XPages runtime java errors – One or more parameters are null

I will continue to writeups on strange and sometimes unknown XPage and Java related errors that I encounter. Today I suddenly got a new error I never seen before and started to investigate, finding the solution after some troubleshooting that is a good feeling of beating the computer beast.

Computer beast that has been defeated
AI generated Computer beast

The error I got was this Argument error: One or more parameters are null.
or in swedish Argumentfel: En eller fler parametrar är null.

The error doesn’t say anything about the problem but the lines after this in the strack trace gave me the clue I needed.

com.sun.faces.renderkit.html_basic.HtmlResponseWriter.writeAttribute(HtmlResponseWriter.java:308) com.ibm.xsp.renderkit.html_basic.AttrsUtil.encodeRenderedAttr(AttrsUtil.java:85) com.ibm.xsp.renderkit.html_basic.AttrsUtil.encodeAttrs(AttrsUtil.java:129)

The first line pointed me to something generating html and the second and third line gave me the answer AttrsUtil.java an HTML component with an attribute that has a null pointer error. The attr property on an html component in HCL XPages doesn’t have any nullpointer protection. So in this case I had an attribute pointing to an viewScope variable that was null in some cases and that gave the problem.

My simple solution was to add this function to all attribute values.

function checkNull(data){
   return ""
   return data

Check out the summary page for all errors I have compiled

The following stack trace is only posted for search engine SEO indexing

java.lang.NullPointerException: Argument error: One or more parameters are null.

SVG Images not working in older Domino releases

By default svg images doesn’t work in older versions of Domino like version 9.01, 10 perhaps even 11
I have verified in version 12 and there it work fine without problems.

First if you can you should upgrade to version 12 it has so much great features but if you can’t do this for some reason. Luckily there is an easy fix, in the Domino data directory there is a file httpd.cnf open up this file add add this line below i.e the Images section, placement isn’t important.

AddType .svg image/svg+xml # SVG format

save the file and restart you domino server. Remember that cache is always kicking in if you are trying to check if something like this working ???

young troubled woman using laptop at home
Photo by Andrea Piacquadio on Pexels.com

Quest for SAML to everybody continues

My article regarding debugging SAML on HCL Domino is updated today with 2 points

  1. What is the SP certificate used for
  2. What can be wrong when you get a login loop

Check it out in the article

Certificate Information tool

This my new tool for retrieving SSL certification information both for local certs and remote certs on webservers. Runs in the window command window so it can be used for batch scripts.

Find it here

Strange XPage, Unexpected runtime error

I’m going to start a post that I will update regular when I get strange errors that can be hard to find the solution for. Feel free to post a comment or use the contact form to send me your strange errors and a solution or how to debug the problem.

One of the best tools for debugging is to use the Log File reader found on OpenNTF, another good tool also on OpenNTF is the Debug toolbar

But now to the problems and the possible solutions.

Error while executing JavaScript action expression
Script interpreter error Interpret exception

javax.faces.FacesException: Error while executing JavaScript action expression

My script worked fine the first time I clicked on a button on the form. but the second time the same code ran I got this error Interpret exception, the problem was that I had an undeclared SSJS variable that caused the problem. Putting a var before the variable fixed the problem

Argument for ‘importPackage’ must be a package

You are using an SSJS package and is calling a java library and have written the name within quotes.

i.e importPackage(“com.xpagedeveloper”) but you should write importPackage(com.xpagedeveloper)

Events like onclick and partial refreshed is not working at all

Check if you have loaded any external javascript libraries like JQuery or Select2 the problem is probably AMD loaders that is in collision with Dojo. There is two different solutions I know of,

  1. Add some Pre or a post code that disable the AMD Loader, check out this great XSnippet @ OpentNTF
  2. Or you can go into the Javascript library and remove the amd loader

Clicks gone wild on your XPage

This is a problem I wrote about many years ago and it can be found here
onClick event is trigged where ever I click

This are the first three weird XPage errors but I will continue to add entries here that can help you and me because I can’t count the number of times I’m looking for a problem and I find my own blog with a solution 😉 Also check out my learning XPages page with lots of links

XPage crash with an strange null pointer error
I have done a writeup of the error in a separate post
NullPointerException: Argument error: One or more parameters are null

Debugging SAML setups in HCL Domino

Debug parameters

If SAML doesn’t work you will probably get Bad SAML Request [/names.nsf?SAMLLogin] in the Domino server console. The first thing you need to do is to add some debug parameters to Domino, the easiest way is to write them on the domino console but you can add the directly into notes.ini or using the configuration document in the Name & adressbook.

set configuration DEBUG_SAML=31


When settings have been enabled you will see a lot more information on the domino console and with in this you will find clues what could be wrong with you SAML setup.
Set the debug parameters to 0 to turn them off

HCL article about debug parameters

Session provider id

The first thing I check is what is written in the Service provider ID field against what is written on the provider side in ADFS, Okta, Azure or some other SSO provider. This information must be 100% the same so http vs https will brake it or a trailing slash.

SP Certificate

Another thing to check if you get strange problems with creating the SP certificate, is to always set your self as full administrator before creating the certificate. Why you might ask, well this is because the action will run code on the server to add the new certificate into the server id and without maximum rights you might run into problems when creating the certificate.

Export SP Certificate for encrypted SAML Requests

If the Idp site config uses encryption on the SAML requests you need to export the SP certificate and place it either in the Domino html folder in the server or add it to a database and use the redirect url functionality on a website configuration or send it to the Idp Administrator.

Office 365 / Azure requires HCL Domino 10 or newer

Connecting to Office 365 / Azure, If you have a Domino server prior to version 10 and want to connect this to Azure Enterprise applications using SAML that will not work, trust me I have tried.
You need at least Domino 10 and the new design of the IDP database with the option AuthnRequest SAML 2.0 compatible.

Multiple SAML logins gives problems

Another interesting findings of mine when implementing SSO Login for customers applications was that one of the sides in Azure or Domino doesn’t keep track of multiple SAML Logins, this show it self as when multiple logins is started only one login response will be returned. I.e if you have embedded multiple Domino iframes on a single webpage they might break due to this, you need to add some thing so only one login request is handled at one time.

As you might understood by now, I can keep going with this due to the amount implementations of SSO I’ve done for clients both in their environment and against our Saas solution QNova Suite or our service eDomino.

Setting up SAML with Okta as Idp for HCL Domino

Next Implementation is Okta you might run into problems decrypting the SAML data and get one of these errors if you have enabled the extended debug above.

SECCheckAndParseSAMLResponse> VerifyResponseSignature : The encrypted data has been modified or the wrong key was used to decrypt it
SECCheckAndParseSAMLResponse> VerifyAssertionSignature : The encrypted data has been modified or the wrong key was used to decrypt it
SECCheckAndParseSAMLResponse> Signature verification check failed : Could not verify cryptographic signature
SECCheckAndParseSAMLResponse> Exiting : The encrypted data has been modified or the wrong key was used to decrypt it

And you go in to the federation metadata xml file that you have downloaded from Okta. and check the certificate and everything looks ok and you wounder what is wrong isn’t Domino and Okta compatible with each other. Yes, they are well you need to be using HCL Domino 10 and above besides that there is a problem in the xml file, so open up the xml file that Okta has provided check each line in the certificate section and you will see that it’s ended with CRLF so the solution is to remove all CRLF with in the X509Certificate section of the XML file and save it and after that do the setup.

Multiple certificates in the Federationmetadata.xml file

Update from the community, if the metadata xml file contains multiple certificates Domino will use the last one so if the file contains multiple certs make sure that HCL Domino picks up the correct one otherwise you will get “The encrypted data has been modified or the wrong key was used to decrypt it” error.
Thanks for the info Jeffrey Redding

Getting a login loop when a user login

If you get a login loop when a user is trying to login then there is possibly a domain issue on you LTPA token cookie or that you or your Idp is ending up on the wrong protocol http/https and that is restricting cookies.

This is some of my SSO SAML findings connected to HCL Domino comment below if you have found some quirky thing when you have done setups.

Time Synk problems will give you a BAD SAML REQUEST

Time synk is very important to get the SAML login requests to run smoothly, without an accurate time they will fail anf give error messages like the one below.
SECCheckAndParseSAMLResponse> Exiting : Single Sign-On token has a creation time in the future. Single Sign-On servers may need to have clocks synchronized.
SECCheckAndParseSAMLResponse failed with error: Single Sign-On token has a creation time in the future. Single Sign-On servers may need to have clocks synchronized.
Error in SAML response – Single Sign-On token has a creation time in the future. Single Sign-On servers may need to have clocks synchronized.

Create a random letter in Excel

I know that this is quite simple in Lotusscript, but some days I needed to create some kind of random string for a excel import and I thought let’s share this someone else might need this too or I might need this in the future and then I have it stored in my secondary archive my blogg 😉


This will create a random character , if you need a 8 letter string copy and paste this string with a and sign & between the formula eight times. I use this for simple password creation, Import keys.

Another of my excel functions I use alot is XLookup to get values from other sheets great to use when you have data from multiple sources. Checkout how to use it here

Hope this will help you, if you have some great Excel formulas post them in the comments.

Disable the first run off Lotusscript And Java agents after save

If you ever created some Notes/Domino agents and seen that everytime you save them a first run is scheduled outside or ordinary schedule. This can easily be avoided. Just add this code to the top of your agent

Dim s As New NotesSession
Dim a As notesagent
Set a=s.Currentagent
If a.Hasrunsincemodified=False Then Exit sub

This will make the agent to skip it’s first run, easy way stop the Lotusscript agent of running at odd hours and perhaps sending extra emails that confuses your users. You can ofcourse implement the same functionality in an Java agent.

If you want to run the same code inside a java agent then the code looks like this

try {
          Session session = getSession();
          AgentContext agentContext = session.getAgentContext();
        	 System.out.println("Not runned before");
        	 System.out.println("Has runned");

          // (Your code goes here)

      } catch(Exception e) {