SSO for HCL Domino (Lotus Notes)

Overview

Why HCL Domino (Lotus Notes) Needs Modern SSO

HCL Domino (formerly IBM Lotus Notes/Domino) remains a critical platform for email, workflow, and custom NSF-based applications in large enterprises, government agencies, and financial institutions. Millions of users still rely on Domino for business-critical processes built over decades. However, Domino's authentication model — HTTP password or Domino session-based authentication — sits outside modern identity infrastructure. Users maintain separate Domino passwords, IT teams manage Domino-specific directories, and security teams struggle to enforce consistent MFA policies. OnePAM adds modern SSO to Domino by acting as an identity-aware reverse proxy in front of the Domino HTTP server. Users authenticate through your corporate IdP, and OnePAM injects a trusted Domino session. All Domino web applications (iNotes, Domino web access, custom NSF apps, XPages) gain SSO without any NSF database modifications or Domino server configuration changes.

The Problem

Authentication Challenges with HCL Domino (Lotus Notes)

These are the security and operational challenges organizations face when HCL Domino (Lotus Notes) relies on its native authentication model.

Domino Directory Silo

Domino maintains its own directory (names.nsf) with separate credentials, creating an identity silo disconnected from modern IdPs.

Limited Federation

Domino's native SAML support (introduced in 9.0.1) is limited, complex to configure, and doesn't cover all web application scenarios.

Custom NSF Applications

Thousands of custom NSF-based applications rely on Domino session authentication, making migration to modern auth frameworks impractical.

Notes Client Complexity

Users accessing Domino via the Notes thick client use ID files and passwords, creating yet another credential management challenge.

Legacy Audit Gaps

Domino's built-in logging provides limited visibility into authentication events compared to modern IAM audit requirements.

Migration Uncertainty

Organizations planning eventual Domino migration to modern platforms need SSO now but don't want to invest in Domino-native federation infrastructure.

The OnePAM Solution

How OnePAM Adds SSO to HCL Domino (Lotus Notes)

A step-by-step guide to deploying modern SSO for HCL Domino (Lotus Notes) using OnePAM's identity-aware reverse proxy.

1

Deploy OnePAM Gateway

Install OnePAM as a reverse proxy in front of the Domino HTTP server on ports 80/443.

OnePAM handles TLS termination and intercepts all HTTP requests to Domino. It can run as a container or VM alongside your Domino infrastructure.

2

Configure IdP Connection

Connect OnePAM to your corporate IdP — Okta, Azure AD, Google Workspace, ADFS, or any SAML/OIDC provider.

OnePAM manages the full SAML/OIDC handshake: metadata exchange, assertion validation, MFA enforcement, and token lifecycle management.

3

Map Users to Domino Identities

Define how IdP users map to Domino directory entries using email, canonical name, or custom attribute matching.

OnePAM supports Domino's hierarchical naming convention (CN=John Doe/O=Acme) and maps it to IdP attributes. Wildcard and regex matching handle complex organizational hierarchies.

4

Inject Domino Sessions

OnePAM creates trusted Domino web sessions via LtpaToken or session cookie injection after IdP authentication.

Upon successful IdP authentication, OnePAM generates a valid Domino LtpaToken or session cookie and injects it into the HTTP response. The user's browser sends this on subsequent requests, and Domino treats the session as authenticated.

5

Monitor and Audit

Enable comprehensive audit logging, session recording, and access policy enforcement for all Domino web access.

Every Domino web access event is logged with IdP context: user, authentication method, MFA status, device, location. Compliance reports are generated automatically.

Business Impact

Benefits of SSO for HCL Domino (Lotus Notes)

Measurable business outcomes from deploying OnePAM SSO in front of HCL Domino (Lotus Notes).

One Password for Everything

Users access Domino web applications with the same credentials they use for email, Office 365, and all other corporate applications.

Single credential across all apps

MFA for Domino

Enforce multi-factor authentication for Domino web access using your IdP's MFA infrastructure — no Domino-side MFA plugins.

MFA without Domino changes

Protect Custom Apps

Thousands of custom NSF applications gain SSO protection automatically — OnePAM covers all Domino web URLs.

All NSF apps protected

Bridge to Migration

Add SSO now while planning eventual migration from Domino. Users get a modern auth experience today regardless of migration timeline.

Modernize auth instantly

Unified Access Logs

Domino access events appear in the same audit trail as all your other applications, with consistent formatting and IdP context.

Complete visibility

No NSF Modifications

Zero changes to NSF databases, Domino server configuration, or custom applications. OnePAM works at the HTTP layer.

Zero database changes

SSO Features

HCL Domino (Lotus Notes) SSO Capabilities

Every feature needed to provide enterprise-grade SSO for HCL Domino (Lotus Notes).

SAML 2.0 & OIDC SSO for all Domino web applications

LtpaToken and Domino session cookie injection

iNotes and Domino Web Access SSO

Custom NSF application SSO coverage

XPages and Domino REST API SSO

Domino hierarchical name (CN/O/OU) mapping

Multi-domain Domino directory support

Domino cluster and failover awareness

Session recording for compliance

Just-in-time user provisioning

Security

Security Features

Enterprise-grade security controls protecting the SSO integration layer.

End-to-end TLS with Domino HTTP server

LtpaToken encryption and signing

Per-application access policies (by NSF path)

IP and geo-based access restrictions

Device trust verification

Real-time session invalidation on IdP sign-out

Real-World Scenarios

HCL Domino (Lotus Notes) SSO Use Cases

Common scenarios where organizations deploy OnePAM SSO for HCL Domino (Lotus Notes).

1

Enterprise email users accessing iNotes/Domino Web Access with corporate SSO

2

Business analysts using custom NSF workflow applications with MFA

3

Government agencies enforcing PIV/CAC authentication for Domino access

4

Financial institutions meeting SOX requirements for Domino application access

5

Organizations in Domino-to-cloud migration adding SSO as a transition step

6

Remote workers accessing Domino web apps from personal devices with device trust

Frequently Asked Questions

HCL Domino (Lotus Notes) SSO FAQ

Common questions about deploying OnePAM SSO for HCL Domino (Lotus Notes).

Does OnePAM work with the Notes thick client?

OnePAM directly supports all Domino web interfaces (iNotes, DWA, NSF web apps, XPages). For the Notes thick client, OnePAM can provide SSO via LtpaToken injection when Notes accesses Domino services over HTTP/HTTPS.

Which Domino versions are supported?

OnePAM supports HCL Domino 9.x, 10.x, 11.x, 12.x, and 14.x. Any Domino version with HTTP server capabilities is compatible.

Will SSO work for all our custom NSF applications?

Yes. Because OnePAM operates at the HTTP layer, any NSF application accessed through the Domino HTTP server automatically receives SSO. No per-application configuration is needed.

Can we use OnePAM alongside Domino's native SAML support?

Yes, but it's unnecessary. OnePAM provides more comprehensive SSO coverage than Domino's native SAML, which only applies to specific scenarios. Most customers use OnePAM exclusively for simpler management.

How does OnePAM handle Domino's hierarchical user names?

OnePAM supports Domino's hierarchical naming (CN=John Doe/OU=Sales/O=Acme Corp). The identity mapper can match IdP attributes to any component of the Domino hierarchical name using templates, regex, or LDAP lookups.