Domino Consulting - HCL Domino Administrator 11.0.1 Help

SECURING

Creating an ID vault server IdP configuration document

This configuration document is used for both Notes federated login and Web federated login.

Before you begin

Have the metadata .xml file that you exported from your IdP, for exampleFederationMetadata.xml, in a location from which you can access it so that you can import it into the IdP configuration document.

Procedure

1. Open idpcat.nsf.

2. Click Add IdP Config to create a new configuration document.

3. Click Import XML file and select the metadata .xml file you exported from your IdP. In ADFS, this file name is typicallyFederationMetadata.xml.

The following information is imported from the

.xml

file.

Table 1. Fields in the IdP Configuration document whose values are generated from themetadata .xml file

Field Description

Protocol version One of the following:

SAML 2.0
SAML 1.1
TFIM

Federation product One of the following:

AuthRequest SAML 2.0 compatible
ADFS
TFIM

Note: Authn is a standard authentication protocol available for SAML 2.0. If your IdP is configured to support Authn, best practice is to keep AuthnRequest SAML 2.0 compatible selected.

Artifact resolution service URL Domino® generates the artifact URL for the federation service you specified in the Federation product field.
For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following artifact URL might be generated:https://tfim.renovations.com/FIM/sps/samlTAM20/soap.

Single sign-on service URL If the data is available in the imported XML file, Domino generates the login URL for the federation service specified in theFederation product field.
For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following login URL might be generated:https://tfim.renovations.com/FIM/sps/samlTAM20/logininitial.
Note: The value in this field is a subset of the expected URL to the IdP. The Domino server generates the full URL when necessary.

Signing X.509 certificate Domino imports the certificate code from file.

Encryption X.509 certificate Domino imports the certificate code from file.
Note: This field appears only when the Type field is set to SAML 2.0.

Protocol support enumeration Domino generates a string designating the protocol(s) for the SAML release specified in the Type field that are also supported by the specified IdP. This string will become part of authentication URLs provided by Domino as the service provider to the IdP specified in this configuration document.
For example,url.oasis.names.tc:SAML:2.0:protocol.

4. On the Basics tab, in the Host names or addresses mapped to this site field, enter the DNS host name of the ID vault server, preceded with the string vault. For example:

vault.domino1.us.renovations.com

5. For State select Disabled. Enable it later when you enable federated login.

6. In the Service provider ID field, enter a value to identify the ID vault server as service provider partner with the IdP.

For example:

https://vault.domino1.us.renovations.com

This value has to be a properly constructed but it isn't used for HTTP connections.
If you are using SSL (required for ADFS), specify https: in the URL.
This value must match the value in the IdP trust or partnership that you will create to identify the ID vault server. For example, in ADFS, this value must match the value specified in theRelying party trust identifiers box in the Relying Party Trust.

7. On the Client Settings tab, complete the following steps, which are related to Notes federated login:

Enable Windows single sign-on

set to Yes if you are using Integrated Windows Authentication (IWA) with ADFS. This field is required by Notes federated login so that Domino knows how to set up the Notes® client embedded browser.

b. In the Sites that are trusted field, list trusted identity provider (IdP) web host names that differ from the host name configured in the Basicstab. Separate entries with a semicolon or a return character.

c. Leave the Enforce SSL field set to Yes if the Notes client embedded browser requires that any URL accessed at the IdP during the login sequence be protected with SSL.

8. Save and close the IdP Configuration document.

9. Optional: If you want to ensure that SAML assertions are encrypted to protect sensitive data, complete the task Generating a certificate to encrypt SAML assertionsYour organization may require SAML assertions to be encrypted if assertions include attributes that contain sensitive personal data, for example, social security numbers. Domino encrypts entire SAML assertions; partial encryption of specific attributes is not available.. Complete it before you complete the task Exporting the ID vault server configuration to an .xml fileComplete this task to export the configuration information in an ID vault server IdP configuration document to an xml file, ServiceProvider.xml. Then, you can import it into the Relying party trust (ADFS) or partnership (TFIM) to fill in the Domino information automatically., so that the certificate is included in the idp.xml file.

Parent topic: Configuring ID vault servers for federated SAML login
Next topic: Exporting the ID vault server configuration to an .xml file

Help on Help

All Help Contents

Help on Help

All Help Contents

Field	Description
Protocol version	One of the following: SAML 2.0 SAML 1.1 TFIM
Federation product	One of the following: AuthRequest SAML 2.0 compatible ADFS TFIM Note: Authn is a standard authentication protocol available for SAML 2.0. If your IdP is configured to support Authn, best practice is to keep AuthnRequest SAML 2.0 compatible selected.
Artifact resolution service URL	Domino® generates the artifact URL for the federation service you specified in the Federation product field. For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following artifact URL might be generated:`https://tfim.renovations.com/FIM/sps/samlTAM20/soap`.
Single sign-on service URL	If the data is available in the imported XML file, Domino generates the login URL for the federation service specified in theFederation product field. For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following login URL might be generated:`https://tfim.renovations.com/FIM/sps/samlTAM20/logininitial`. Note: The value in this field is a subset of the expected URL to the IdP. The Domino server generates the full URL when necessary.
Signing X.509 certificate	Domino imports the certificate code from file.
Encryption X.509 certificate	Domino imports the certificate code from file. Note: This field appears only when the Type field is set to SAML 2.0.
Protocol support enumeration	Domino generates a string designating the protocol(s) for the SAML release specified in the Type field that are also supported by the specified IdP. This string will become part of authentication URLs provided by Domino as the service provider to the IdP specified in this configuration document. For example,`url.oasis.names.tc:SAML:2.0:protocol`.