SECURING

Encrypting SAML assertions
Your organization may require SAML assertions to be encrypted if assertions include attributes that contain sensitive personal data, for example, social security numbers.

About this task

Domino® encrypts entire SAML assertions; partial encryption of specific attributes is not available.

You can create an Internet certificate and use the certificate's private key for encrypting assertions. Store this certificate and its private key in the Domino server.id file. The certificate's key usage must be set for supporting encryption. The identity provider (IdP) must also store the certificate.

The Internet certificate and private key can be the same as those used for creating the signed SAML certificate. For more information, see the steps on filling out the Certificate Management tab in the IDP Configuration document, described in the task earlier in this sequence on enabling the Domino Web server to provide SAML authentication.

Procedure

See the related topic on the Notes and Domino wiki, about encrypting SAML assertions in whatever federation your organization uses (ADFS or TFIM).

Parent topic: Configuring SAML in Domino
Previous topic: Using Domino as a SAML-based security provider with SSL

Related information
Encrypting SAML assertions
Supplementary information on Security Assertion Markup Language (SAML) configuration combinations of IBM Domino and other products