SAML Login redirections problem in Domino 12

Posted by on 2 October,2023 Leave a comment (2) Go to comments

Before we dive into the problem, let’s briefly understand the SAML authentication process within HCL Domino:

  1. User requests access: A user attempts to access a resource (e.g., a web application) protected by SAML authentication.
  2. Identity Provider (IdP) initiation: The user is redirected to an Identity Provider (IdP) for authentication. The IdP can be an external service or a SAML-enabled component within Domino itself.
  3. Authentication: The user logs in at the IdP. Upon successful authentication, the IdP generates a SAML assertion, a digitally signed XML document containing authentication information.
  4. SAML assertion delivery: The SAML assertion is sent back to the Domino server.
  5. Domino server validation: Domino verifies the SAML assertion’s authenticity and extracts user identity information.
  6. User redirection: If the SAML authentication is successful, Domino redirects the user to the requested resource.

The Samesite Cookie Issue

The problem arises at step 6 in the SAML authentication process. Users are not being redirected as expected, and this issue is attributed to a relatively new feature in web browsers called “Samesite.”

The user is ending up at the first login page specified, giving users a hard time because they need to navigate back to where they where and links in emails is not working.

What is Samesite?

Samesite is a cookie attribute introduced to enhance web security and user privacy. It specifies how cookies should behave in cross-origin requests. It can have three possible values: “Strict,” “Lax,” or “None.”

  • “Strict”: Cookies are not sent in cross-origin requests, even on top-level navigations. This is the most restrictive setting.
  • “Lax”: Cookies are sent in top-level navigations, e.g., when following links, but not in cross-origin requests triggered by scripts.
  • “None”: Cookies are sent in all requests, regardless of origin.

The Impact on SAML Authentication

The “Strict” value of the Samesite attribute causes the issue during SAML authentication within Domino 12. The samesite options for cookies in domino is a new feature not found in older versions. When Domino sets cookies, such as the session cookie that maintains user authentication state, to “SameSite=Strict,” these cookies may not be sent in the cross-origin request initiated after successful authentication.

This causes Domino to ignore the redirect request, an fellow community member Renato Casati, gave me the solution on Twitter and that was to add a new notes.ini parameter making domino setting the cookie to Lax mode instead.
DOMINO_RELAY_COOKIE_SAMESITE=0

Read more here
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0103313

Posts
  1. Rickard Varnfors 26 April,2024 at 20:06

    Thanks for this post. I had exactly this problem and had yet to find a solution… But now I found it. Thanks. 🙂

    Reply

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.