Articles in this section

SSO SAML, Okta, LDAP, ADFS Authentication with Domino 5.x

Abdul Karim
  • Updated
Follow

Version:

Domino 5.x

 

Issue:

After clearing cache or starting in a new session in an Incognito tab, on login into the Domino platform, users see 500 internal server errors or 403 Access Forbidden errors in the Domino UI. In the frontend logs this would be visible with logs similar to:

E11000 duplicate key error collection: domino.users index: loginId.lowercaseId_1 dup key: { : "username_123_user" } cor
relationId="aLsk3qIeP" thread="application-akka.actor.default-dispatcher-21532"

 

Root Cause:

As of Domino 5.x there is a mandatory requirement to ensure that each user has the following attributes filled in for user authentication:

 

Username

First Name

Last Name

Email

 

SAML/Identity providers must ensure that all of the above attributes are filled in and sent in the SAML token being sent to Domino. If one is missing or the attributes are not matching with what is in Domino then the user will be presented with one of the above errors. Prior to a user showing up in Domino, that user will have to exist in Keycloak, the information kept in MongoDB within Domino is a carbon copy of what is in Keycloak. On new Logins, SAML tokens are refreshed and attributes are obtained and mapped to a user in Keycloak and passed on to Domino for matching.

 

Why are these needed any why do they need to match?: 

  • The Firstname, Lastname attributes are used to create default project paths
  • The Email Address is used as a main identifier for when you are inviting someone as a collaborator 
  • The Username is a primary key

Resolution:

Identity providers should ensure that all 4 attributes above are sent with the correctly information to Domino and that Null attributes are not sent. 

In the event that an email address or name has changed, please raise a support ticket with Domino support so that we can look at updating MongoDB with the new details.

 

Notes:

The above issue has cropped up:

1. During upgrades from 4.x > 5.x

2. When SSO providers have not filled in all attributes for a user within a SAML token

3. When users have changed their names or email addresses. 

 

domino_logo.png

Related articles

Comments

0 comments

Please sign in to leave a comment.