SECURING
If the Domino®server.id file has a password, you as the administrator must create the SAML metadata file and the certificate file manually; the Create SP Certificatebutton in the IdP Catalog application cannot be used. You must also create the metadata file manually if you intend to verify SAML assertions using an Internet certificate that already exists in the server ID file.
About this task
Note: If you've configured SAML to use AuthnRequest, you cannot use this procedure if a server ID file is password-protected. As a workaround, use the Create SP Certificatebutton in the IdP configuration document without a password-protected server ID file, as described in Automatically generating a certificate to encrypt SAML assertions. Then reset the password on the server ID.
Procedure
1. Edit the Domino server NOTES.INI file and enter the following required settings:
Where the values are:
1 - for SAML 1.1
2 - for SAML 2.0
SAMLUrl=https://your_SAML_service_provider_hostname
For example, https://domino1.us.renovations.com
Note: If your Domino server will not be enabled for TLS (required with an ADFS IdP), then this URL must start withhttp instead ofhttps, for example,http://domino1.us.renovations.com
SAMLSloUrl=https://iti-ws2.renovations.com/sps/samlTAM20/saml20
If your federation does not require or support a log-out URL, you should still enter a URL like the one in the preceding example, to ensure proper syntax for the export metadata.
Note: If you do not specify a company, then the default SAML Signing is used.
Tip: If you do not have a note of the hash key – for example, you are not the administrator who performed the previous steps, or if you want to use a different existing certificate – you can use the CERTMGMT SHOW ALL command to display the key.
The text you enter for your_organization_name must match the company name as supplied in step 2 when you created the certification (certmgmt create saml). Alternatively your_organization_name can match the Subject Name that displays when you issued the CERTMGMT SHOW ALL command. If no company name was supplied in step 2, then use SAML Signing for the value of SAMLCompanyName, for example:
SAMLCompanyName=SAML Signing
8. Open the appropriate IdP configuration document. On the Certificate Management tab, under Certificate management settings, copy and paste the public key hash used in previous steps into the field Certificate public key hash value (base 64).
What to do next
Export the Web server IdP configuration or ID vault server IdP configuration toidp.xml.
Parent topic: Generating a certificate to encrypt SAML assertions
Related tasks Exporting the Domino web configuration to an .xml file Exporting the ID vault server configuration to an .xml file