Parameter:
NFLMandatoryShort description: Enforces Notes Federated Login (NFL) for all Notes Clients – logins are then only possible via the configured Identity Provider.
Profile
Parameter | NFLMandatory |
Category | Security / TLS |
Component | Client |
Available since | 14.0 |
Supported versions | 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = NFL optional (default), 1 = NFL enforced |
Description
With Notes Federated Login (NFL), Notes Clients can authenticate against an external IdP (SAML / OIDC) instead of asking for the ID file password locally.
NFLMandatory=1 disables the classic login paths: without a successful IdP login, the Notes Client can no longer be started. For organizations with a central IAM / SSO strategy, this is an important building block – ID file phishing or local password brute-forcing become ineffective.Example configuration
NFLMandatory=1
Notes & pitfalls
- Before enabling, NFL must be correctly configured and successfully tested for the target user group – otherwise users will lock themselves out.
- For emergency access, keep a separate admin ID with classic login available and documented.
- Takes effect after a Notes Client restart.
- Pairs with the
NotesIDVaultmechanisms (central ID management) and the IdP configuration in the Domino Directory.
- The function is client-side – typically distributed via mail policy / ID file setup, not by hand per workstation.