Configure Domino REST API to use an OIDC provider

About this task

The procedure guides you on how to configure Domino REST API to use an OpenID Connect (OIDC) provider for authentication.

Client Ids

When configuring an external identity provider using OpenID Connect (OIDC) or OIDC-idpcat with HCL Domino and the Domino REST API, you must specify a client ID. The default recommendation is to use Domino as the client ID for the Domino REST API server. However, your identity provider administrator might require a different value depending on your organization’s configuration.

Separate client IDs (application registrations) are required to support the Admin UI and Office Forms Based Authentication (OFBA). To support these features, configure at least the following clients in your identity provider:

• A client used by the Domino REST API server. You can name the client Domino or any descriptive name. The client secret might be managed through idpcat.nsf.
• A client used by the Domino REST API Admin UI. You can name the client keepadminui or any descriptive name. Configure this client if you want administrators to authenticate through the external identity provider.
• A client used for OFBA round-trip editing of Office documents. You can name the client keepofba or any descriptive name.

You should also create separate clients for each custom application that connects to the Domino REST API.

Procedure

1. Create a JSON file using a text editor.

2. Copy the JSON object to the JSON file.

   {
     "oidc": {
       "any-name": {
         "active": true,
         "providerUrl": "https://some.keycloak.server/auth/realms/some-realm",
         "clientId": "some-clientid",
         "clientSecret": "some-clientsecret",
         "userIdentifier": "dn",
         "userIdentifierInLdapFormat": true
       }
     }
   }
   

3. Set the values of the providerUrl, clientId, and clientSecret parameters to the values from your identity provider, such as Keycloak.

   {
     "oidc": {
       "any-name": {
         "active": true,
         "providerUrl": "https://some.keycloak.server/auth/realms/some-realm",
         "clientId": "a3fe24-88dd-a003d3",
         "clientSecret": "16072d-cf96-1ea8d9",
         "userIdentifier": "dn",
         "userIdentifierInLdapFormat": true
       }
     }
   }
   

4. Save the JSON file in the keepconfig.d directory.

   Tip

   Use a filename for the JSON file that reveals its purpose. To learn more on how JSON files in keepconfig.d are processed, see Configuration management and overlay hierarchy.

5. Restart Domino REST API on all servers.

Rinse and repeat

• Set up External IdP for Office Round Trip Experience
• Set up External IdP for Admin UI login