Skip to content

Custom Identity Provider (IdP)


The Domino server task communicates with the REST API through the KeepManagementURL. It has a default value of http://localhost:8889. You can overwrite this setting in the notes.ini by editing, or creating if missing, the entry KeepManagementURL (case sensitive). Having configured a TLS certificate, you need to make sure the entry starts with https:// and uses the host name your TLS certificate has been issued for. localhost, or ::1 won't work. Configuring TLS doesn't change the port. So when you host, your TLS certificate is issued for, is and your old entry was missing or is the default of http://localhost:8880, then your new value needs to be: For more information, see Domino REST API task and ports.

Domino REST API requires an access token in JWT (RFC 7519) format. As long as Domino REST API trusts the signature of the presented token, it does not matter how the token was obtained.


Check carefully which systems you trust to provide identity. They hold the key to data access.

When none of the existing IdP solutions fit your needs, you can use a custom provider that generates your JWT token. Just make sure, such code isn't accessible for abuse as unauthorized impersonation.

Sample function

This function turns a given user name and scope into a signed JWT token.

const template = require('./template.json');
const jwt = require('jsonwebtoken');
const fs = require('fs');
const privateKey = fs.readFileSync('private.key');

const signOptions = {
  algorithm: 'RS256',
  expiresIn: `${template.expSeconds}s`,
  mutatePayload: true

const renderJwt = (sub, scope) => {
  const claim = { sub, scope, ...template };
  const bearer = jwt.sign(claim, privateKey, signOptions);
  return { bearer: bearer, ...claim };

module.export = { renderJwt };

Error handling omitted for clarity.

The template

  "iss": "Joe and the wailors",
  "aud": "Domino",
  "expSeconds": 3000


This the relevant part of the package.json.

"dependencies": {
    "jsonwebtoken": "^8.5.1"

Keys you need

You need to generate a public/private key pair.

ssh-keygen -t rsa -b 4096 -m PEM -f private.key
openssl rsa -in private.key -pubout -outform PEM -out