About this task

If you are configuring Notes® federated login, you will be setting up a TFIM partnership for the Notes id vault server. The id vault server is not required to be configured as an HTTP server, however for most SAML 2.0 configurations, the id vault server's server id file must contain an Internet certificate.

Tip: If you are configuring the IdP partnership for encrypted assertions, the federation must be SAML 2.0 and the Internet certificate for the Domino server partnership must have key usage set for encryption.

For most SAML 2.0 configurations, the Domino HTTP (SAML service provider) server's ID file must contain an Internet certificate. It is recommended that you create a new Internet certificate for SAML, by using either the IdP Catalog application Create Certificate button, or the server console CERTMGMT command. It is allowed to create a new Internet certificate by other methods, for example using the Domino certificate authority (CA), as long as the Internet certificate key usage allows for signing. If you want to use an existing Internet signing certificate (for example, one used for SSL), you can use the same certificate for the SAML partnership, although you must use the server console CERTMGMT command to assist with the setup.

Tip: If you use the server's SSL certificate, you would export the certificate and private key from the SSL keyring file into a file in PKCS12 format. Then you would use the User Security dialog box in the Notes client to import the certificate and private key from the PKCS12 file into the server's ID file.

You can find general instructions and documentation for setting up a TFIM partner in the related topics. If you use the server's SSL certificate, you would export the certificate and private key from the SSL keyring file into a file in PKCS12 format. Then you would use the User Security dialog box in the Notes client to import the certificate and private key from the PKCS12 file into the server's ID file.

Procedure

1. While creating the TFIM federation on the IdP, use the exported Domino metadata file. See the related topic on setting up a Tivoli Federated Identity Manager (TFIM) federation.

2. Set up the partnership with the following values:

• Specify HTTP Post for the partner.
• The service provider ID should be the same as the Web hostname for the Domino HTTPS server, for example, https://domino1.us.renovations.com.

  Note: If SSL is not configured at Domino, this setting would include http instead of https, for example: http://domino1.us.renovations.com.

• The assertion consumer URL uses your server Web URL, the Domino Directory file name, and a required command (?SAMLLogin), for example, https://domino1.us.renovations.com/names.nsf?SAMLLogin

After both the IdP Configuration document and the Domino server partnership are in place, restart the Domino HTTP server so that SAML authentication can take effect.

At the server console, start the HTTP process by typing:

load HTTP

If the HTTP process is already running, type:

tell HTTP restart

For more details, search the Notes and Domino wiki for an article on making the Domino server a partner with TFIM. IBM technote #1614543 in the related topics provides links to many such articles.

Parent topic: Setting up a TFIM server as the identity provider (IdP)
Previous topic: Setting up a Tivoli Federated Identity Manager (TFIM) federation
Next topic: Registering the TFIM identity provider server with Domino as the SAML service provider

Related information
IBM Tivoli Federated Identity Manager, Version 6.2.1 : Adding your partner
Supplementary information on Security Assertion Markup Language (SAML) configuration combinations of IBM Domino and other products

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Feedback on Help or Usability?

Help on Help