SECURING
About this task
Configuring SAML requires at least two tasks: specifying SAML authentication in the Domino Directory, and creating a document to contain SAML configuration settings. Depending on whether your organization uses Internet Sites, you specify the authentication in either the Server document or in one or more Internet Site documents. The SAML configuration settings are then specified in IdP Configuration document(s) in the IdP Catalog (idpcat.nsf) application.
Together, these documents determine whether Domino, as the SAML service provider, trusts SAML assertions from a specified identity provider (IdP). The IdP's public key, stored in an IdP Configuration document in the IdP Catalog application, is used for cryptographic verification of a SAML assertion issued by the IdP.
It is recommended that you use SSL security for your SAML configuration; if your federation is Microsoft™ Active Directory (ADFS), SSL is required.
Tip: Because SAML configuration requires cooperating configuration for Domino and for the identity provider (IdP), Domino Web server configuration should first be fundamentally sound when being used independently of an IdP. Therefore, before configuring SAML, consider setting up the Domino HTTP server for single-server session authentication. This task includes configuring Domino to log in as a Web user (for example, the Domino administrator that has been configured in the Domino Directory during the Domino server setup). After you as this administrator are able to log in as the Domino user, successfully browsing to URLs on the Domino server, the server is ready for SAML configuration and enablement.
Note: When your organization uses SAML for session authentication, disable the field Enforce Internet Password Lockout on the Security tab of the server Configuration document. In addition, disable any Web password management settings - such as synchronizing the Notes® client password with the Internet password - that have been enabled in security policies applied to SAML users. For more information on Internet password lockout, see the related topic.
Procedure
Perform the following tasks:
2. Creating a Domino metadata file manually If the Domino server.id file has a password, you as the administrator must create the SAML metadata file and the certificate file manually; the Create Certificate button in the IdP Catalog application cannot be used. You must also create the metadata file manually if you intend to verify SAML assertions using an Internet certificate that already exists in the server ID file.
3. Configuring SAML from the Internet Site (Web Site) document Use this procedure when configuring SAML authentication for Domino in one or more Internet Site (Web Site) documents.
4. Using Domino as a SAML-based security provider with SSL It is recommended, for security reasons, that if you are configuring federated-identity authentication on an Domino Web server, you secure the server with SSL (https protocol). In addition, SSL configuration is required if your IdP uses ADFS. SSL is not required, however, if the Domino server is not configured as a Web server -- for example, it is a Domino server used to host the ID vault that supports federated login for the Notes client.
5. Encrypting SAML assertions Your organization may require SAML assertions to be encrypted if assertions include attributes that contain sensitive personal data, for example, social security numbers.
Related tasks Securing Internet passwords Creating an Internet site document