Manually generating a certificate to encrypt SAML assertions
If the Domino® server.id file has a password, you as the administrator must create the SAML metadata file and the certificate file manually; the Create SP Certificate button in the IdP Catalog application cannot be used. You must also create the metadata file manually if you intend to verify SAML assertions using an Internet certificate that already exists in the server ID file.
About this task
Note: If you've configured SAML to use AuthnRequest, you cannot use this
procedure if a server ID file is password-protected. As a
workaround, use the Create SP Certificate
button in the IdP configuration document without a
password-protected server ID file, as described in Automatically generating a certificate to encrypt SAML assertions. Then reset the password on the server ID.
Procedure
- Edit the Domino® server NOTES.INI file
and enter the following required settings:
SAMLAuthVersion=value
Where the values are:
1 - for SAML 1.1
2 - for SAML 2.0
SAMLUrl=https://your_SAML_service_provider_hostname
For example, https://domino1.us.renovations.comNote: If your Domino® server will not be enabled for TLS (required with an ADFS IdP), then this URL must start with http instead of https, for example, http://domino1.us.renovations.comSAMLSloUrl=https://iti-ws2.renovations.com/sps/samlTAM20/saml20
If your federation does not require or support a log-out URL, you should still enter a URL like the one in the preceding example, to ensure proper syntax for the export metadata.
- If the server ID file already has an Internet certificate
that can be used, this step is optional. At the Domino® server console on the Domino® server,
enter the following command to create the certificate. if the company
name is more than one word, enclose the name in quotation marks (")
as shown:
certmgmt create saml [overwrite][company "Renovations Home Improvement"]
Note: If you do not specify a company, then the defaultSAML Signing
is used. - Take note of the public key hash that displays on the console
when you issued the certmgmt create saml command.
The key is the string that follows
public key hash=
. In the following example, the key isv6i9TOz7zP9GBCXxtrz+KA==
Certificate created, public key hash=v6i9TOz7zP9GBCXxtrz+KA==
- Edit the Domino® server NOTES.INI file
again and enter the following required setting, using the hash key
you noted in step 3:
SAMLPublicKeyHash=your_hash_key
Tip: If you do not have a note of the hash key – for example, you are not the administrator who performed the previous steps, or if you want to use a different existing certificate – you can use the CERTMGMT SHOW ALL command to display the key. - Enter the following NOTES.INI setting, using any string
convenient to your administrators:
SAMLCompanyName=your_organization_name
The text you enter foryour_organization_name
must match the company name as supplied in step 2 when you created the certification (certmgmt create saml). Alternativelyyour_organization_name
can match the Subject Name that displays when you issued the CERTMGMT SHOW ALL command. If no company name was supplied in step 2, then use SAML Signing for the value ofSAMLCompanyName
, for example:SAMLCompanyName=SAML Signing
-
Enter the following command to generate a metadata
.XML file to import into your
federation:
certmgmt export saml xml filename.xml
- Copy the exported certificate file to a location from where you can import it into the IdP configuration document you are configuring.
- Open the appropriate IdP configuration document. On the Certificate Management tab, under Certificate management settings, copy and paste the public key hash used in previous steps into the field Certificate public key hash value (base 64).