HCL Domino Ideas Portal
Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.
For more information and upcoming events around #dominoforever, please visit our Destination Domino Page
About licensing: This is a Domino server and yes, you will require a license. However it depends what license model you are on.
The newer license model is Complete Collaboration Business Edition (CCB), where you can install any number of servers. https://blog.hcltechsw.com/domino/licensing-update-hcl-complete-collaboration-ccb-guest-licensing/
Older license models like Processor Value Units here: https://blog.hcltechsw.com/domino/licensing-update-reporting-pvu-compliance-for-hcl-domino/
The one and only way to intercept the user's password is at the Domain controller level. The extension points provided by Microsoft only work at the Domain controller.
Main objective for this type of synronization is to provide a single sign on experience for customers that do not have a SAML IdP (like ADFS or TFIM) in place. The objective was NOT to sync the HTTP password. In fact you can already now in Domino v11.0.1 and earlier versions completely eliminiate the Domino HTTP password by...
a) configuring Domino to authenticate all web users against the IDVault,
https://help.hcltechsw.com/domino/11.0.1/admin/conf_authenticate_webusers_with_notesids.html
or
b) by forwarding all web authentication requests to a remote LDAP
Level 1 - LDAP Authentication
https://blog.thomashampel.com/blog/tomcat2000.nsf/dx/moving-from-passwords-to-singlesignon-part-1.htm
Level 2 - Self Service Password Reset Application
https://blog.thomashampel.com/blog/tomcat2000.nsf/dx/domino-singlesignon-level-2-self-service-password-reset-application-.htm?opendocument&comments#anc1
or
c) configuring Domino to authenticate web users via SAML
https://help.hcltechsw.com/domino/11.0.1/admin/secu_using_security_assertion_markup_language_saml_to_configure_federated_identity_authentication_t.html
Hello! From my point of view - this is a big security hole in the setup. we provide s software for ****** , Physical and Speech Therapy which is installed in many hospitals around US. These departments are using common Hospital Active directory and common domain controller with rest of hospital departments. Only named departments are using HCL Domino. Installing another instance of HCL Domino on Domain controller won't be allowed due hospitals security requirements - they strictly limit what can be allowed on Domain controllers! I work in past with 3rd party product called PistolStar - it was connecting to LDAP server instead, checking user password in AD upon user login, and then writing this password into httppassword field in NAB instead. I just curious - what was the reasoning of designing password synchronization via push from Domino installed on AD controller to Domino Admin server rather than pulling it directly from AD.
Another question I have - licensing - do we need to purchase a second license explicitly for server installed but not running on AD controller?
Thanks, Sam Elperin (sam.elperin@harmonyhit.com)