SECURING


Manually generating a certificate to encrypt SAML assertions

If the Domino®server.id file has a password, you as the administrator must create the SAML metadata file and the certificate file manually; the Create SP Certificatebutton in the IdP Catalog application cannot be used. You must also create the metadata file manually if you intend to verify SAML assertions using an Internet certificate that already exists in the server ID file.

About this task

Note: If you've configured SAML to use AuthnRequest, you cannot use this procedure if a server ID file is password-protected. As a workaround, use the Create SP Certificatebutton in the IdP configuration document without a password-protected server ID file, as described in Automatically generating a certificate to encrypt SAML assertions. Then reset the password on the server ID.

Procedure

1. Edit the Domino server NOTES.INI file and enter the following required settings:


2. If the server ID file already has an Internet certificate that can be used, this step is optional. At the Domino server console on the Domino server, enter the following command to create the certificate. if the company name is more than one word, enclose the name in quotation marks (") as shown:
3. Take note of the public key hash that displays on the console when you issued the certmgmt create saml command. The key is the string that follows public key hash=. In the following example, the key is v6i9TOz7zP9GBCXxtrz+KA==
4. Edit the Domino server NOTES.INI file again and enter the following required setting, using the hash key you noted in step 3:
5. Enter the following NOTES.INI setting, using any string convenient to your administrators:
6. Enter the following command to generate a metadata.XML file to import into your federation:
7. Copy the exported certificate file to a location from where you can import it into the IdP configuration document you are configuring.

8. Open the appropriate IdP configuration document. On the Certificate Management tab, under Certificate management settings, copy and paste the public key hash used in previous steps into the field Certificate public key hash value (base 64).

What to do next

Export the Web server IdP configuration or ID vault server IdP configuration toidp.xml.

Parent topic: Generating a certificate to encrypt SAML assertions

Related tasks
Exporting the Domino web configuration to an .xml file
Exporting the ID vault server configuration to an .xml file