If the Domino®
server.id file has a password, you as the administrator must create the SAML
metadata file and the certificate file manually; the Create SP Certificate
button in the IdP Catalog application cannot be used. You must also create the metadata file
manually if you intend to verify SAML assertions using an Internet certificate that already exists
in the server ID file.
Procedure
- Edit the Domino server NOTES.INI file
and enter the following required settings:
SAMLAuthVersion=value
Where
the values are:
1 - for SAML 1.1
2 - for SAML 2.0
SAMLUrl=https://your_SAML_service_provider_hostname
For
example,
https://domino1.us.renovations.comNote: If
your Domino server
will not be enabled for SSL (required with an ADFS IdP, but not with
a TFIM IdP), then this URL must start with http instead
of https, for example, http://domino1.us.renovations.com
SAMLSloUrl=https://iti-ws2.renovations.com/sps/samlTAM20/saml20
If
your federation is IBM® Tivoli® Federated Identity Manager,
this setting specifies the log-out URL. If your federation does not
require or support a log-out URL, you should still enter a URL like
the one in the preceding example, to ensure proper syntax for the
export metadata.
- If the server ID file already has an Internet certificate
that can be used, this step is optional. At the Domino server console on the Domino server,
enter the following command to create the certificate. if the company
name is more than one word, enclose the name in quotation marks (")
as shown:
certmgmt create saml [overwrite][company "Renovations Home Improvement"]
Note: If
you do not specify a company, then the default SAML Signing
is
used.
- Take note of the public key hash that displays on the console
when you issued the certmgmt create saml command.
The key is the string that follows
public key hash=
.
In the following example, the key is v6i9TOz7zP9GBCXxtrz+KA==
Certificate created, public key hash=v6i9TOz7zP9GBCXxtrz+KA==
- Edit the Domino server NOTES.INI file
again and enter the following required setting, using the hash key
you noted in step 3:
SAMLPublicKeyHash=your_hash_key
Tip: If you do not have a note of the hash key – for example,
you are not the administrator who performed the previous steps, or
if you want to use a different existing certificate – you can use
the CERTMGMT SHOW ALL command to display the key.
- Enter the following NOTES.INI setting, using any string
convenient to your administrators:
SAMLCompanyName=your_organization_name
The
text you enter for
your_organization_name
must
match the company name as supplied in step 2 when you created the
certification (
certmgmt create saml). Alternatively
your_organization_name
can
match the Subject Name that displays when you issued the
CERTMGMT
SHOW ALL command. If no company name was supplied in step
2, then use
SAML Signing for the value of
SAMLCompanyName
,
for example:
SAMLCompanyName=SAML Signing
- Enter the following command to generate a metadata .XML file
(for example, tfim-meta.xml for TFIM) to import
into your federation:
certmgmt export saml xml filename.xml
-
Copy the exported certificate file to a location from where you can import it into the IdP
configuration document you are configuring.
-
Open the appropriate IdP configuration document. On the Certificate
Management tab, under Certificate management settings, copy and
paste the public key hash used in previous steps into the field Certificate public key
hash value (base 64).
What to do next
Export the Web server IdP configuration or ID vault server IdP configuration to
idp.xml.