SECURING
You can generate a certificate to use to encrypt SAML assertions automatically from an IdP configuration document.
About this task
Create the certificate from the server that will encrypt SAML assertions from Domino. The certificate creation step runs an agent to create a new certificate inside the server ID of the server from which you click the button. Be sure that the replica of idpcat.nsf that you use is on the server whose server ID you want to add the new certificate to. For basic SAML authentication using the web, connect to the idpcat.nsf replica on the Domino Web server.
For web users with access to their Notes IDs in the ID vault (web federated login), you need two idpcat.nsf documents. One document is for SAML authentication to the mail server; for this document, open the idpcat.nsf replica on the mail server. The second idpcat document is for access to the ID vault to allow secure mail operations; for this document, open the idpcat.nsf replica on the ID vault server.
For Notes users (Notes federated login), create the certificate from the ID vault server.
You can use this procedure if the server ID file is not password protected and if you want to create a new Internet Certificate in the server ID file. Otherwise, follow the procedure to generate the certificate manually.
To complete this task, you must be listed (or belong to a group) in the Server document, inFull Access Administrators >Administrators >Sign or run unrestricted methods and operations.
Generate the certificate automatically with the Create SP Certificatebutton in the IdP configuration document.
Note: Complete this procedure before you use the Export XML button in an IdP configuration document to export the configuration to the ServiceProvider.xml file. Then, the certificate is automatically included in the Domino metadata .xml file (ServiceProvider.xml) that you import into the IdP.
Procedure
1. Open a Web server IdP configuration document or the ID vault server IdP configuration document in idpcat.nsf. Open it on the server that you want to generate the certificate.
2. Click the Certificate Management tab.
3. Click Create SP Certificate. In the Create company certificate prompt, enter your company name and click OK to add the name to the Company Name field.
https://your_SAML_service_provider_hostname
The string in this field is used by the IdP as the initial part of the URL for sending the user's SAML assertion back to Domino.
Note: This host name should never containvault. even if the service provider ID on the Basics tab includes it.
Note: Usually, you can repeat the string you entered in the Service Provider ID field on theBasics tab. However, if you are setting up a partnership for the ID vault that is used for bothNotes® federated login and iNotes® Web federated login, instead, use the fully qualified DNS name of the iNotes server's Web address (DNS hostname, or Internet site name) in a URL. For example:https://dom1.renovations.com.
Export the Web server or ID vault server configuration toServiceProvider.xml.
Parent topic: Generating a certificate to encrypt SAML assertions
Related tasks Exporting the Domino web configuration to an .xml file Exporting the ID vault server configuration to an .xml file