Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.
For more information and upcoming events around #dominoforever, please visit our Destination Domino Page
Many of customers think that synchronizing is an easy task. It can be easy for someone who have worked on it for many hours, however customers should understand the complexity of this task. I will highlight some aspects about synchronization.
1. Mobile users running IBM Verse application on mobile devices cannot decrypt encrypted emails after SAML is enabled for ID management.
2. Domino Traveler task utilizes Domino HTTP that can authenticate users from MS AD LDAP. However this solution is only good without usage of mail encryption because Domino does not allow to use MS AD for ID management in Traveler (IBM Verse on mobile device).
3.Password synchronization can be done from MS AD to Domino by Tivoli Directory Integrator, this includes HTTP and ID passwords with one exception: Notes API functions for IDVault stop working after SAML is enabled for user by policy. Thus Password synchronization MS AD -> Domino cannot be achieved if SAML is enforced.
4. Tivoli Directory Integrator allows to synchronize MS AD users, groups, contacts and any other objects to Domino directory persons, groups, mailin databases and vice versa.
5. Normal synchronization is not possible unless IBM fixes the issue when IBM Notes user cannot be renamed unless he has IBM Notes workstation configured and running. Otherwise only initial administration request is generated and others are not. Person will not be renamed in ACLs, in IDVault and in other places., Synchronization will allways fail once MS AD administrator renames MS AD users if IBM Notes users does not use his IBM Notes workstation for any reason (for example on maternity leave).
6. Customers must understand that there's no 1 correct way to synchronize MS AD to Domino. One customer will want to sync 1 AD forest to 5 Domino domains, another customer will want to sync 5 AD forests to 1 Domino domain. One customer will treat users deleted when they are deleted in MS AD, another will want to treat them as deleted whenever they are moved to MS AD OU=Retired,DC=organization,DC=com . One customer will want to create mail database for users, another to forward to Outlook cloud. So customer must understand that proper documentation, examples and product sample can fit no more than x% cases and then the solution needs to be customized.
-----------------------
Summarized conclusion:
1. IBM should resolve rename issue (5) and api issue (3) and mail decryption in IBM Verse issue (1).
2. Then IBM or IBM BP or customer can share the knowledge how to configure most typical scenarios of synchronization.
Definitely a good idea. Currently manage this though in house bespoke solution. Painful to keep in sync with environmental changes. Has management rethinking association with Domino/IBM.
When a user is created in the AD - the same user must have automatic and instant access to Notes Web applications without logging in (SSO)
That's already possible with SAML / SPNEGO / Directory Assistance
Seamless AD integration is very important. I have a lot of customers that is moving to Sharepoint/Office 365 but still uses Notes as a web platform. When a user is created in the AD - the same user must have automatic and instant access to Notes Web applications without logging in (SSO)
+1 for the above comment in general but to also point out SAML is NOT yet available for ICAA client. This should be top of the priorityy list.
Password synchronisation is a nightmare from a security point. Additional to the timing this means AD needs write access to Domino or Domino read access to AD passwords,this is with TDI only possible by replacing Windows DLLs to write the password in a second store, because the hashes within ID are not possible to be decrypted.
You can today use the AD password for all HTTP password requests through Directory assistance or using SAML and ADFS. ID passwords can be replaced with SAML. So authentication is done by AD and Domino has no need to know the password. It just need to trust the backend service.
Using open and standardized protocols like saml is way better than writing passwords from one service to another! I support an idea to implement more IDPs and getting offline support for ID SAML.
Yes syncronize is important!
all company use AD as primary for user!
we need a simple feature for sync (not TDI or other complex tool)
SAML should remove the need for password synch.
As for 3rd party vendor solutions - IBM have their own offering (ESSO) which ironically, in my experience at least, doesn't play nice with the Notes client
>>> Leave it to 3rd party vendor solutions.
Sorry, I don't agree. Only a small minority of customers will purchase 3rd party solutions. The lack of integration with AD makes Notes/Domino vulnerable to being replaced, and customers will get rid of Notes rather than investigate & purchase 3rd party solutions.
We need easy to implement SSO for Notes client and for web access on Domino (what would you think if you had to put in a password to use Excel every day!!)
I don't know if this is discouraging, but IBM had proved many times in the past they refuse to provide good experience when client is using competitor's products like AD/Outlook, some important features will be broken. Named a few: ADSync, DAMO, IMSMO, SPNEGO authentication..
Leave it to 3rd party vendor solutions.
I don't think getting rid of the domino directory is a great idea - but fixing it so it actually works like a decent LDAP server would make integration and synching way easier between systems
Yes Please, syncronize password is important.
Or a feafure for sync automatically from AD
Get rid of the Domino Directory (for users) and move the user management to AD/LDAP completely.