Domino uses Keycloak to manage user accounts. Keycloak supports the following modes of authentication to Domino.
When using local accounts, anyone with network access to the Domino application can create a Domino account. Users supply a username, password, and email address on the signup page to create a Domino-managed account. You can track, manage, and deactivate these accounts through the application. You can configure Domino with multi-factor authentication and password requirements through Keycloak.
When identity federation is enabled, local account creation is disabled and Keycloak authenticates users against identities in the external identity provider (IdP) and retrieves configurable properties about those users, such as Domino usernames and email addresses.
See Keycloak identity federation for more information.
You can configure Keycloak to broker authentication between Domino and an external authentication or SSO system. When identity brokering is enabled, Domino redirects users in the authentication flow to a SAML, OAuth, or OIDC service for authentication. Following authentication in the external service, the user is routed back to Domino with a token containing user properties.
See Keycloak identity brokering for more information.