Creating a Web server IdP configuration document
Create an IdP configuration document for Web servers that will participate in SAML authentication.
Before you begin
About this task
Procedure
- Open idpcat.nsf.
- Click Add IdP Config to create a new configuration document.
-
Click Import XML file and select the metadata .xml file you exported
from your IdP. In ADFS, this file name is typically
FederationMetadata.xml.
The following information is imported from the .xml file.
Table 1. Fields in the IdP Configuration document whose values are generated from the metadata.xml file Field Description Protocol version One of the following: - SAML 2.0
- SAML 1.1
Federation product One of the following: - AuthnRequest SAML 2.0 compatible
- ADFS
Note: Authn is a standard authentication protocol available for SAML 2.0. If your IdP is configured to support Authn, best practice is to keep AuthnRequest SAML 2.0 compatible selected.Artifact resolution service URL Domino® generates the artifact URL for the federation service you specified in the Federation product field.
The web address (URL) in this field is created when you click the "Import XML file" button. It is the URL to which incoming requests are redirected for authentication with the IdP.
Do not modify this text unless you are working with a metadata XML file that is not available for import into the form; in that case, be sure to copy and paste text accurately into this field.
Single sign-on service URL If the data is available in the imported XML file, Domino® generates the login URL for the federation service specified in the Federation product field. For example, on ADFS: https://adfs.renovations.com/adfs/ls/IdpInitiatedSignOn.aspx Note: The value in this field is a subset of the expected URL to the IdP. The Domino® server generates the full URL when necessary.Signing X.509 certificate Domino® imports the certificate code from file. Encryption X.509 certificate Domino® imports the certificate code from file. If import is replacing an existing signing certificate, the previous signing certificate is saved off as an IdP legacy certificate.
Note: This field appears only when the Type field is set to SAML 2.0.Protocol support enumeration Domino® generates a string designating the protocol(s) for the SAML release specified in the Type field that are also supported by the specified IdP. This string will become part of authentication URLs provided by Domino® as the service provider to the IdP specified in this configuration document. For example, url.oasis.names.tc:SAML:2.0:protocol.
-
In the Basics tab > Host names or addresses mapped to this
site field, configure the Web server DNS host name or host names.
Restriction: If your Domino Web server is using TLS, you must include an IP address after each host name, separated by a semicolon.Important: The host names you enter here should match what is entered in either the Host name(s) field on the Internet Protocols/HTTP tab in a Server document or the Host names or addresses mapped to this site field of an Internet Site (Web Site) document.
For example, enter mail01.us.renovations.com;n.nn.nnn.n.
If you use a load balancer to distribute requests across servers, include the host name and IP address for the load balancer as well as the host names and IP addresses of the target Web servers. Separate the servers with semi-colons or press Enter. For example:
mail.us.renovations.com;n.nn.nnn.n
mail01.us.renovations.com;n.nn.nnn.n
mail02.us.renovations.com;n.nn.nnn.n - For State select Disabled. Enable it later as part of the procedure Enabling SAML Authentication in Domino.
-
In the Service provider ID field, enter a value to identify the web
servers as service provider partner with the IdP.
- This value has to be a properly constructed URL but it isn't used for HTTP connections.
- If you are using TLS (required for ADFS), specify https: in the URL.
- This value must match the value in the IdP trust or partnership that you will create to identify the web server. For example, in ADFS, this value must match the value specified in the Relying party trust identifiers box in the Relying Party Trust.
- In the Basics tab, IdP name field, enter a name to identify the Web site of the identity provider; the name does not have to be exact, and is only for your administrative convenience.
-
Save and close the IdP configuration document. You see the following message because the IdP
configuration document is currently disabled and the service provider URL cannot be resolved. Click
Yes to go ahead and save.
Not a valid URL, or the DNS name could not be resolved: <URL>. Save anyway?
- Optional: If you want to ensure that SAML assertions are encrypted to help protect sensitive data, complete the task Generating a certificate to encrypt SAML assertions. Complete it before you complete the task Exporting the Domino web configuration to an .xml file, so that the certificate is included in the ServiceProvider.xml file.