SSO group and role synchronization

Domino can synchronize Domino administrative user roles and organization membership with attributes in your SAML identity provider. Use this to externalize management of these roles and memberships to the identity provider.

SAML Group to Organization synchronization

The SAML provider application connected to Domino must include group membership as a multi-valued attribute.

To enable this feature, you must update the Domino Central Configuration setting authentication.oidc.externalOrgsEnabled to true, then restart Domino services.

Attribute mapper

Add an Attribute Importer mapper to the provider configuration in Keycloak.

  • Name: Domino Groups

  • Mapper Type: Attribute Importer

  • Attribute Name: Name attribute for the element that contains the groups for the user.

  • Friendly Name: FriendlyName attribute for the element that contains the groups for the user.

  • User Attribute Name: domino-groups.

Example:

<saml2:Attribute Name="UserGroups">
  <saml2:AttributeValue>nyc-data-scientists</saml2:AttributeValue>
  <saml2:AttributeValue>all-data-scientists</saml2:AttributeValue>
  <saml2:AttributeValue>sensitive-claims-users</saml2:AttributeValue>
</saml2:Attribute>

Keycloak mapper

Domino client mapper

When Domino is installed, it automatically creates the domino-group-mapper client mapper.

  1. To review the client mapper, go to Clients and click domino-play.

    Keycloak Domino play

  2. Click the Mappers tab. You can see the domino-group-mapper.

    Keycloak Client

Role synchronization

In addition to group membership, you can also automatically assign Domino administrative and/or user roles to users based on attributes from your SAML identity provider.

Prerequisite

The SAML identity provider application connected to Domino must include attributes that can be mapped to specific Domino roles.

Attribute mapper

You must add an Attribute Importer mapper to the provider configuration in Keycloak:

  • Name: Domino System Roles.

  • Mapper Type: Attribute Importer.

  • Attribute Name: Name attribute for the element that contains the Domino system roles for the user.

  • Friendly Name: FriendlyName attribute for the element that contains the groups for the user.

  • User Attribute Name: domino-system-roles.

To see the Mappers, go to Clients > domino-play > Mappers.

Domino system roles are controlled by the user’s membership in a set of special user groups in Keycloak. When the user is added or removed from such a group, the role change is propagated to Domino either on the next login or, if the user is currently logged in, within a few minutes (5 minutes by default).

When the user’s SAML token carries the role information as described above, the group membership will be updated automatically. The administrator can change the user roles from the Admin User management page, but it will be overwritten on the next SSO login if the Domino System Roles mapper is enabled.

Enable Flows

For customers who already have SSO and External Role Sync enabled, an authenticator has been added to Keycloak when upgrading to Domino 5.7.0. For customers with SSO enabled, but External Role Sync disabled, the authenticator is not being added to the Authentication Flows when upgraded to 5.7.0.

For existing customers who don’t have the External Role Sync but now want to enable it, the following manual actions must be taken in the Keycloak UI:

  1. Add a new execution to the Domino First Broker Login flow.

    1. Navigate to Authentication then click the Add execution button.

    2. Select Domino Role Group Assigner from the list.

    3. Locate Domino Role Group Assigner in the Auth Type list then, on the right, under Actions, click Config.

    4. On the Create authenticator config page, provide an Alias (e.g. RolesGroupAssigner) and select /roles as the parent for all the role groups. Click Save.

    5. Mark the new Domino Role Group Assigner execution as REQUIRED.

  2. If the Domino Post Login authentication flow doesn’t exist, create it:

    1. Navigate to Authentication then click the New button.

    2. Configure the flow by providing an Alias, e.g. Domino Post Login, and selecting generic as the Top Level Flow Type. Click Save.

  3. Add the new flows to the Identity providers configuration:

    1. Navigate to Identity Providers.

    2. Next to First Login Flow, select Domino First Broker Login from the list.

    3. Next to Post Login Flow, select Domino Post Login from the list.

Group synchronization attributes

You must include the following attributes if you synchronize groups in Domino.

  • Domino Organizations

    • Name: Can be any name since Domino can map attributes.

    • Multi-valued: Yes

    • Values:

      • One or more of the groups the user belongs to in your centralized identity provider. For any groups specified here, the user will be automatically enrolled in a Domino organization with the same name.

Example:

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml2:Attribute Name="DominoOrganizations">
    <saml2:AttributeValue>nyc-data-scientists</saml2:AttributeValue>
    <saml2:AttributeValue>all-data-scientists</saml2:AttributeValue>
    <saml2:AttributeValue>sensitive-claims-users</saml2:AttributeValue>
  </saml2:Attribute>
</saml2:AttributeStatement>

Next steps

Learn how to propagate AWS credentials.