Automatically generating a certificate to encrypt SAML assertions
You can generate a certificate to use to encrypt SAML assertions automatically from an IdP configuration document.
About this task
Create the certificate from the server that will authenticate users. For web users (web federated login), create the certificate for each mail server, to allow the use of secure mail operations. For Notes users (Notes federated login), create the certificate from the ID vault server.
You can use this procedure if the server ID file is not password protected and if you want to create a new Internet Certificate in the server ID file. Otherwise, follow the procedure to generate the certificate manually.
To complete this task, you must be listed (or belong to a group) in the Server document, in Full Access Administrators >Administrators > Sign or run unrestricted methods and operations.
Procedure
- Open a Web server IdP configuration document or the ID vault server IdP configuration document in idpcat.nsf. Open it on the server that you want to generate the certificate.
- Click the Certificate Management tab.
-
Click Create SP Certificate. In the Create company
certificate prompt, enter your company name and click OK to add
the name to the Company Name field.
When creating the certificate, Domino® pre-pends "CN=" to the string in the Company name field and uses this name as the certificate subject. The name may be visible in the IdP configuration after the metadata file is imported.
-
In the Domino URL field, enter a string to identify the fully qualified
DNS name in a URL of the Domino® server.
For example, enter:
The string in this field is used by the IdP as the initial part of the URL for sending the user's SAML assertion back to Domino®.https://your_SAML_service_provider_hostname
Note: This host name should never containvault
. even if the service provider ID on the Basics tab includes it.Note: If SSL is not configured at Domino® and you are using TFIM for the IdP, this setting would include http instead of https, for example: http://domino1.us.renovations.com.Note: Usually, you can repeat the string you entered in the Service Provider ID field on the Basics tab. However, if you are setting up a partnership for the ID vault that is used for both Notes® federated login and iNotes® Web federated login, instead, use the fully qualified DNS name of the iNotes® server's Web address (DNS hostname, or Internet site name) in a URL. For example: https://dom1.renovations.com. -
In the Single logout URL field, enter a URL. Even if your IdP does not
require or support a single logout, you should enter a syntactically correct URL so that the
exported metadata file will have proper syntax. The TFIM IdP with SAML 2.0 configuration requires a
single logout URL to be specified at the IdP and in the Domino® metadata file, even though Domino® does not
currently implement a SAML 2.0 single logout feature.
An example of a logout URL for TFIM is:
https://your_tfim_server.com/sps/samlTAM20/saml20