For Administrators it is not preferable that their workplace is SAML enabled. Using the normal default SAML authentication, it’s filter is based on users in the policy configuration. Now we came up with a user-case that it is not possible anymore using user-based SAML deployment.
When a administrator perform a switch id, for trouble shooting purposes, this id wants to use SAML authentication. But your are already logged in as an administrator ( into Windows ) and cannot match with the user.id you just switched to.
Is there a way to filter SAML based on your workplace? Are you working on an Administrator’s workplace?
Yes there is, in Security settings of your Domino policy you can set machine-specific filters in order to filter out the administrators workplaces.
In your Policy – Security setting—password management tab—> federated login—>Enable Notes Federated login with SAML IdP —enter machine specific formula.
We choose to disable SAML on an admin-machine when there is a certain notes.ini parameter set: disable_saml=1
After we set the notes.ini on those workplaces, we can change the security policy and restrict SAML only to HCL Notes clients without that notes.ini parameter.
You can read the notes.ini parameters by @GetMachineInfo with keyword EnvVariable.
@GetMachineInfo( [Keyword]; "Needed for some Keywords string" )
So in our case we can set the following formula:
@IF(@GetMachineInfo( [EnvVariable]; "disable_saml" )="1" ;”0″;”1″)
That’s it. Now you can use your admin workplace and perform a switch id without any warnings or error regarding the fact that there is no match found for SAML.