Creating an IdP Configuration document for Nomad federated login
Create an IdP Configuration document for Nomad federated login in idpcat.nsf.
Before you begin
Have the metadata .xml file that you exported from your IdP in a location from which you can access it so that you can import it into the IdP configuration document. For Active Directory Federation Services (ADFS), this file is typically FederationMetadata.xml
When you import the metadata .xml file, the file is attached to the IdP Configuration document and deleted from your local system.
About this task
The IdP Configuration document sets up a partnership between the Domino ID vault servers that Nomad users use and that act as Service Providers and your IdP which acts as the authenticating server for access to mail and other applications on the Domino servers.
During this task, you create the IdP Configuration document, import the metadata .xml file you exported previously from your IdP, complete the configuration, and export the configuration to a ServiceProvider.xml file.
Complete the following steps from an ID vault server:
Procedure
- Open idpcat.nsf.
- Click Add IdP Config to create a new configuration document.
-
In the Basics tab, Host names or addresses
mapped to this site field, enter the following:
wherenomad.vault.<SafeLinxServerHost>
<SafeLinxServerHost>
is the host name of the Nomad (SafeLinx) server. For example:nomad.vault.safelinx.renovations.com
Note: Thenomad.vault.
prefix is a requirement for the function of this feature. The value in this field does not resolve to a DNS host name. - In the Protocol version field, select SAML 2.0.
- In the Federation product field, select AuthnRequest SAML 2.0 compatible.
-
Click Import XML file and select the metadata .xml file
you exported from your IdP. In ADFS, this file name is typically
FederationMetadata.xml.
The following information is imported from the .xml file into the IdP configuration document.
Table 1. Fields in the IdP Configuration document whose values are generated from the metadata . xml file Field Description Single sign-on service URL (Basics tab) The login URL for the federation service specified in the Federation product field. For example: https://adfs.renovations.com/adfs/ls/IdpInitiatedSignOn.aspx Note: The value in this field is a subset of the expected URL to the IdP. The Domino® server generates the full URL when necessary.Signing X.509 certificate (Advanced tab) X.509 certificate for signing, used to verify signatures in the assertion response from the IdP. Encryption X.509 certificate (Advanced tab) X.509 certificate for encryption used to send the IdP encrypted documents. Protocol support enumeration (Advanced tab) A string designating the SAML 2.0 protocol supported by the specified IdP. This string becomes part of authentication URLs provided by Domino® as the service provider for the IdP. For example, urn.oasis.names.tc:SAML:2.0:protocol.
-
In the Service Provider ID field, specify:
https://nomad.vault.<hostname>
where<hostname>
is the host name of the ID vault server shown in the Fully qualified Internet host name field in the Server document in the Domino directory. For example:https://nomad.vault.domino1.renovations.com
Note: Thenomad.vault.
prefix is a requirement for the function of this feature. While the value in this field has to be a properly constructed secure URL, it is not used for HTTPS connections and doesn't resolve to a DNS host name. -
The Nomad Postback URL field is now shown. Specify the
following information in this field. This configuration allows the vault server
acting as a Service Provider to send SAML assertions to the Nomad server, which
then communicates with the ID vault as a client to get the ID file for the user:
https://<SafeLinxServerHost>/SL_saml/login/nomadfl
where<SafeLinxServerHost>
is the host name of the Nomad (SafeLinx) server. For example:https://safelinx.renovations.com/SL_saml/login/nomadfl
- In the Client Settings tab, in the Enable Windows single sign-on field, select No.
-
On the Client Settings tab, complete the following
fields:
- In the Enable Windows single sign-on field, select No.
- Leave the Enforce TLS field set to Yes.
- Save the new IdP Configuration document.
-
In the Certificate Management tab, complete the
following steps. These steps create a Service Provider server certificate and
keys for the ID vault server that will be used for secure communication with the
IdP. The certificate and private key are added automatically to the ID vault
server ID file.
Note: If the Domino vault server ID file is password-protected or already contains the certificate, complete this step manually. For more information, see Manually generating a certificate to encrypt SAML assertions.
- Replicate the idpcat.nsf to all Domino servers that your Nomad users use, including ID vault servers, mail servers, and application servers.
Results
What to do next
- If there are other ID vault servers used by Nomad federated login, complete the procedure Adding the Service Provider server certificate and key to other vault server ID files.
- If there are no other ID vault servers, complete the procedure Setting up a Relying Party Trust for the ID vault server used by Nomad federated login.