Use this procedure to set up a Relying Part Trust in ADFS 3.0 for Domino web servers that participate in SAML authentication.

Procedure

1. From ADFS, select Start -> Administrative Tools -> AD FS Management.

2. Navigate to the Relying Party Trusts folder.

3. Select Action -> Add Relying Party Trust.

4. Click Start to run the Add Relying Party Trustwizard.

5. In the Select Data Source window select Import data about the relying party from a file, select the ServiceProvider.xml file that you exported from the corresponding Web server IdP configuration document. Then, click Next.

Note: When you import from the ServiceProvider.xml file, values for Steps 6 - 10 are populated automatically. If you select Enter data about the relying party manually, you enter these values yourself.

7. In the Choose Profile window, select AD FS profile and clickNext.

8. In the Configure Certificate window, click Next.

9. In the Configure URL window, select Enable support for the SAML 2.0 WebSSO protocol. For Relying party SAML 2.0 SSO service URL, enter the following URL:

https://<host>/names.nsf?SAMLLogin

where <host> is the DNS host name of a Domino web server that will participate in federated login. For example:

https://mail.us.renovations.com/names.nsf?SAMLLogin

• The host name must match a host name that is specified in the Host names or addresses mapped to this site field in the web server IdP configuration document you create.
• You can specify only one web server host per Trust document. If there are multiple Web server hosts behind a load balancer or sprayer, specify the load balancer or sprayer host name here. If there is no load balancer or sprayer, repeat this procedure and create a separate Trust document for each web server.
• Each web server with a Trust document requires a corresponding IdPcat configuration document .

This URL must match the one that you specify in the Service provider IDfield of the web server IdP configuration document. For example:https://mail.us.renovations.com

Note: This URL is used only as an identifier and not for HTTP connections.

12. In the Choose Issuance Authorization Rules window, select Permit all users to access this replying party and click Next.

13. In the Ready to Add Trust window, click Next.

14. In the Finish window, select Open the Edit Claim Rules dialog for this replying party trust when the wizard closes and click Close.

15. If the Edit Claim Rules dialog does not open when the wizard closes, right-click the name of the Relying Party Trust that you created, and select Edit Claim Rules...

16. In the Edit Claim Rules dialog, click Add Rule.

17. In the Select Rule Template dialog, for Choose Rule Type, select Send LDAP Attributes as Claims, and click Next.

18. Complete the Configure Rule dialog box:

a. For Claim rule name, enterEmailAddressToNameID.

b. For Attribute store, select Active Directory.

c. For LDAP Attribute, selectE-Mail-Addresses.

d. For Outgoing Claim Type, select Name ID.

e. Click Finish.

20. In the AD FS Trust Relationships -> Relying Party Trusts folder:

a. Right-click the new relying party trust that you created for Domino and selectProperties.

b. Click the Endpoints tab.

c. For SAML Assertion Consumer Endpoints, verify that there is a POST binding URL for Domino. In addition, if there is an Artifact binding URL, remove it because Domino only uses POST binding.

Help on Help

All Help Contents

Help on Help