IBM Domino Administrator 9.0.1 Social Edition Help

SECURING

Creating a Domino metadata file manually
If the Domino® server.id file has a password, you as the administrator must create the SAML metadata file and the certificate file manually; the Create Certificate button in the IdP Catalog application cannot be used. You must also create the metadata file manually if you intend to verify SAML assertions using an Internet certificate that already exists in the server ID file.

Procedure

1. Edit the Domino server NOTES.INI file and enter the following required settings:

SAMLAuthVersion=

value

Where the values are:

1 - for SAML 1.1

2 - for SAML 2.0

SAMLUrl=https://your_SAML_service_provider_hostname

For example, https://domino1.us.renovations.com

Note: If your Domino server will not be enabled for SSL (required with an ADFS IdP, but not with a TFIM IdP), then this URL must start with http instead of https, for example, http://domino1.us.renovations.com

SAMLSloUrl=https://iti-ws2.renovations.com/sps/samlTAM20/saml20

If your federation is IBM® Tivoli® Federated Identity Manager, this setting specifies the log-out URL. If your federation does not require or support a log-out URL, you should still enter a URL like the one above, to ensure proper syntax for the export metadata.

2. If the server ID file already has an Internet certificate that can be used, this step is optional. At the Domino server console on the Domino server, enter the following command to create the certificate. if the company name is more than one word, enclose the name in quotation marks (") as shown:

certmgmt create saml [overwrite][company "Renovations Home Improvement"]

Note: If you do not specify a company, then the default SAML Signing is used.

3. Take note of the public key hash that displays on the console when you issued the certmgmt create saml command. The key is the string that follows public key hash=. In the following example, the key is v6i9TOz7zP9GBCXxtrz+KA==

Certificate created, public key hash=v6i9TOz7zP9GBCXxtrz+KA==

4. Edit the Domino server NOTES.INI file again and enter the following required setting, using the hash key you noted in step 3:

SAMLPublicKeyHash=

your_hash_key

Tip: If you do not have a note of the hash key – for example, you are not the administrator who performed the previous steps, or if you want to use a different existing certificate – you can use the CERTMGMT SHOW ALL command to display the key.

5. Enter the following NOTES.INI setting, using any string convenient to your administrators:

SAMLCompanyName=

your_organization_name

The text you enter for your_organization_name must match the company name as supplied in step 2 when you created the certification (certmgmt create saml). Alternatively your_organization_name can match the Subject Name that displays when you issued the CERTMGMT SHOW ALL command. If no company name was supplied in step 2, then use SAML Signing for the value of SAMLCompanyName, for example:

SAMLCompanyName=SAML Signing

6. Enter the following command to generate a metadata .XML file (for example, tfim-meta.xml for TFIM) to import into your federation:

certmgmt export saml xml filename.xml

7. Copy the exported certificate file from Domino to a location accessible to the IdP, and import the file into the IdP configuration.

8. Open the idpcat.nsf and the document for the corresponding partnership. On the Certificate Management tab, under Certificate management settings, copy and paste the public key hash used in previous steps into the field Certificate public key hash value (base 64).

What to do next

For more information, search the Notes® and Domino wiki for articles on configuring the TFIM and ADFS federations for SAML with Domino. IBM technote #1614543 in the related topics will eventually provide links to all such articles.

Parent topic: Configuring SAML in Domino
Previous topic: Enabling the Domino Web server to provide SAML authentication
Next topic: Configuring SAML from the Internet Site (Web Site) document

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Feedback on Help or Usability?

Help on Help

All Help Contents