Debugging SAML setups in HCL Domino

If SAML doesn’t work you will probably get Bad SAML Request [/names.nsf?SAMLLogin] in the Domino server console. The first thing you need to do is to add some debug parameters to Domino, the easiest way is to write them on the domino console but you can add the directly into notes.ini or using the configuration document in the Name & adressbook.

set configuration DEBUG_SAML=31


When settings have been enabled you will see a lot more information on the domino console and with in this you will find clues what could be wrong with you SAML setup.

The first thing I check is what is written in the Service provider ID field against what is written on the provider side in ADFS, Okta, Azure or some other SSO provider. This information must be 100% the same so http vs https will brake it or a trailing slash.

Another thing to check if you get strange problems with creating the SP certificate, is to always set your self as full administrator before creating the certificate. Why you might ask, well this is because the action will run code on the server to add the new certificate into the server id and without maximum rights you might run into problems when creating the certificate.

Connecting to Office 365 / Azure, If you have a Domino server prior to version 10 and want to connect this to Azure Enterprise applications using SAML that will not work, trust me I have tried.
You need at least Domino 10 and the new design of the IDP database with the option AuthnRequest SAML 2.0 compatible.

Another interesting findings of mine when implementing SSO Login for customers applications was that one of the sides in Azure or Domino doesn’t keep track of multiple SAML Logins, this show it self as when multiple logins is started only one login response will be returned. I.e if you have embedded multiple Domino iframes on a single webpage they might break due to this, you need to add some thing so only one login request is handled at one time.

As you might understood by now, I can keep going with this due to the amount implementations of SSO I’ve done for clients both in their environment and against our Saas solution QNova Suite or our service eDomino.

Next Implementation is Okta you might run into problems decrypting the SAML data and get one of these errors if you have enabled the extended debug above.

SECCheckAndParseSAMLResponse> VerifyResponseSignature : The encrypted data has been modified or the wrong key was used to decrypt it
SECCheckAndParseSAMLResponse> VerifyAssertionSignature : The encrypted data has been modified or the wrong key was used to decrypt it
SECCheckAndParseSAMLResponse> Signature verification check failed : Could not verify cryptographic signature
SECCheckAndParseSAMLResponse> Exiting : The encrypted data has been modified or the wrong key was used to decrypt it

And you go in to the federation metadata xml file that you have downloaded from Okta. and check the certificate and everything looks ok and you wounder what is wrong isn’t Domino and Okta compatible with each other. Yes, they are well you need to be using HCL Domino 10 and above besides that there is a problem in the xml file, so open up the xml file that Okta has provided check each line in the certificate section and you will see that it’s ended with CRLF so the solution is to remove all CRLF with in the X509Certificate section of the XML file and save it and after that do the setup.

Update from the community, if the metadata xml file contains multiple certificates Domino will use the last one so if the file contains multiple certs make sure that Domino picks up the correct one otherwise you will get “The encrypted data has been modified or the wrong key was used to decrypt it” error.
Thanks for the info Jeffrey Redding

This is some of my SSO SAML findings connected to Domino comment below if you have found some quirky thing when you have done setups.

  1. John Detterline

    Thanks for the info! In at least one case I have set those debug params on a server and they remain “on” even if they are removed from the ini settings and the server is restarted. Another thing I noticed is that if you have an IDP config doc for your server, when the server restarts it will find this doc and automatically switch to SAML auth mode, even if your server doc is set to use another method. Highly annoying to say the least.

    • Fredrik Norling

      Thanks for commenting, yes SAML config tends to take over the server.
      I usually set the Debug params to zero before removing them to disable them.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.