SECURING


Creating a Web server IdP configuration document

Create an IdP configuration document for Web servers that will participate in SAML authentication.

Before you begin

Have the metadata .xml file that you exported from your IdP, for exampleFederationMetadata.xml, in a location from which you can access it so that you can import it into the IdP configuration document.

Note: If you will create another IdP configuration document, for example, for federated login with the ID vault, make a backup copy of the file; when you import the .xml file into the IdP configuration document, the .xml file is deleted from your local system.

About this task

If your Web servers are behind a load balancer or IP sprayer, create one Web server IdP configuration document. Your IdP will connect to the load balancer or IP sprayer. If your Web servers are not behind a load balancer or IP sprayer, create a separate IdP configuration document for each Web server.

Procedure

1. Open idpcat.nsf.

2. Click Add IdP Config to create a new configuration document.

3. Click Import XML file and select the metadata .xml file you exported from your IdP. In ADFS, this file name is typicallyFederationMetadata.xml.


4. In the Basics tab > Host names or addresses mapped to this site field, configure the Web server DNS host name or host names.
5. For State select Disabled. Enable it later as part of the procedure Enabling SAML Authentication in Domino.

6. In the Service provider ID field, enter a value to identify the web servers as service provider partner with the IdP.


7. In the Basics tab, IdP name field, enter a name to identify the Web site of the identity provider; the name does not have to be exact, and is only for your administrative convenience.

8. Save and close the IdP configuration document. You see the following message because the IdP configuration document is currently disabled and the service provider URL cannot be resolved. ClickYes to go ahead and save.


9. Optional: If you want to ensure that SAML assertions are encrypted to help protect sensitive data, complete the task Generating a certificate to encrypt SAML assertionsYour organization may require SAML assertions to be encrypted if assertions include attributes that contain sensitive personal data, for example, social security numbers. Domino encrypts entire SAML assertions; partial encryption of specific attributes is not available.. Complete it before you complete the task Exporting the Domino web configuration to an .xml file, so that the certificate is included in the ServiceProvider.xmlfile.

Parent topic: Configuring basic SAML authentication for Web servers
Next topic: Exporting the Domino web configuration to an .xml file