Before you begin

• Obtain a copy of the metadata.xml file that was exported from the IdP, and have its contents ready for import when you create the IdP Configuration document. You can store it in any location accessible to your Domino Administrator client.
• The IdP Catalog (idpcat.nsf) application must reside on the same server as the ID vault.
• If the IdP Catalog application already exists, you must have access to create documents in it.
• For most SAML 2.0 configurations, the ID vault server's ID file must contain an Internet certificate. Create a new certificate using either the IdP catalog application Create Certificate button (recommended), the server console certmgmt command, or the Domino CA. If you have an existing Internet certificate, you can re-use it (the certmgmt show all server console command displays the hash keys of all existing certificates so that you can derive the key you need for SAML).

The SAML configuration settings for Notes federated login are specified in IdP Configuration document(s) in the IdP Catalog (idpcat.nsf) application. The IdP Configuration document includes several fields whose values are supplied automatically when you import the metadata.xml file from the IdP.

Important: If the Domino server has a server.id file protected by a password, the administrator cannot use the Create Certificate button described in this topic. Instead, see the related topic Creating a Domino metadata file manually.

Note: This procedure assumes the Domino ID vault server participating in Notes federated login does not have the Domino Web server configured, but your organization may use such a combination if necessary.

Note: To support Notes federated login, certain fields in this IdP Configuration document (Service provider ID and Domino URL) must be specified with a string that mimics the URL that would be used if the ID Vault server were also configured as a Domino Web server. However, this does not mean the ID vault server must actually be configured as a Domino Web server.

Procedure

1. From the Domino Administrator client, create the IdP Catalog application (idpcat.nsf), using the template with the file name idpcat.ntf, or open the application if it already exists.

CAUTION: If your server is running on UNIX™ or IBM® i, make sure the file name is all lower-case.

Note: If the ipdcat.nsf is replicated across other participating SAML servers, their entries will be added to the ACL.

Note: If you have multiple Internet Site documents in your organization, and you want SAML authentication used at these multiple Web sites, create separate associated IdP Configuration documents for each participating Internet Site. For details, see the related topic on configuring SAML from the Internet Site document.

Tip: If you are setting up a partnership for the ID vault that is used for both Notes federated login and iNotes® Web federated login, specify a virtual hostname that begins with vault. pre-pended to the iNotes server's Web address (DNS hostname, or Internet site name), and do not specify any IP address in the entry.

For example, if the iNotes server's DNS hostname is dom1.renovations.com, then specify a virtual name of vault.dom1.renovations.com, with no IP address.

For example, if the Renovations organization has a support site hosted by a third party who will serve as an identity provider, using the IBM Tivoli® Federated Identity Manager, the administrator might enter Renovations Customer Support (TFIM).

Important: SAML 2.0 is required if your federation is configured on Microsoft™ ADFS.

8. In the Federation product field, select either TFIM for Tivoli Federated Identity Manager or ADFS for Microsoft Active Directory Federation Services, depending on which federation service you intend to use for SAML authentication. The default is ADFS.

9. In the Service provider ID field, enter a string that identifies Domino as a service provider partner with the IdP.

This string is usually the same as the HTTP URL for the Domino HTTP server, for example, http://domino1.us.renovations.com.

Note: If SSL is configured at Domino or you are using ADFS for the IdP, this setting would include https , for example: https://domino1.us.renovations.com. If you use ADFS for the IdP, SSL is required, so you would use https in the string.

Important: An entry is required in this field to use the Create Certificate button on the Certificate Management tab.

It is recommended that you leave intact the information supplied from the imported XML file.

Note: If the federation is configured on ADFS, this file may have a slightly different name, for example, FederationMetadata.xml.

Table 1. Fields in the IdP Configuration document whose values are generated from the metadata.xml file

Field	Description
Artifact resolution service URL	Domino generates the artifact URL for the federation service you specified in the Product field. For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following artifact URL might be generated: https://tfim.renovations.com/FIM/sps/samlTAM20/soap.
Single sign-on service URL	If the data is available in the imported XML file, Domino generates the login URL for the federation service you specified in the Product field. For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following login URL might be generated: https://tfim.renovations.com/FIM/sps/samlTAM20/logininitial. Note: The value in this field is a subset of the expected URL to the IdP. The Domino server generates the full URL when necessary.
Signing X.509 certificate	Domino imports the certificate code from file.
Encryption X.509 certificate	Domino imports the certificate code from file. Note: This field appears only when the Type field is set to SAML 2.0.
Protocol support enumeration	Domino generates a string designating the protocol(s) for the SAML release specified in the Type field that are also supported by the specified IdP. This string will become part of authentication URLs provided by Domino as the service provider to the IdP specified in this configuration document. For example, url.oasis.names.tc:SAML:2.0:protocol.

a. Leave Enable Windows single sign-on set to Yes if this IdP document corresponds to an IdP that uses Windows™ single sign-on (SPNEGO/Kerberos) user authentication. This field is required by Notes client federated login so that Domino knows how to set up the Notes client embedded browser.

For more information, search the Notes and Domino wiki for an article on setting up ADFS for integrated Windows authentication (IWA). IBM technote #1614543 in the related topics will eventually provide links to all such articles.

b. In the Sites that are trusted field, list trusted identity provider (IdP) web host names that differ from the host name configured in the Basics tab. Separate entries with a semicolon or a return character.

c. Leave the Enforce SSL field set to Yes if the Notes client embedded browser requires that any URL accessed at the IdP during the login sequence be protected with SSL.

a. Enter a Company name field to identify the certificate in the Domino metadata file (idp.xml) to be exported. Use any string convenient to your administrators.

You might use the name to indicate the Domino server, for example Domino US Renovations, or a virtual name if representing one particular Internet site configuration on the Domino server, for example, Domino East Coast US Renovations.

Tip: The name does not have to match anything in the actual IdP configuration. However, the string does have to be compatible with the syntax of the idp.xml file; that is, it cannot include characters such as angle brackets (< or >).


b. Click Create Certificate. If prompted, save the document, return to the tab, and click the button a second time.

When creating the certificate, Domino pre-pends "CN=" to the string in the Company name field and uses this name as the certificate subject. The name may be visible in the IdP configuration after the metadata file is imported.

c. In the Domino URL field, enter a string to identify the fully qualified DNS name in a URL of the Domino server.

For example, enter:

https://your_SAML_service_provider_hostname

The string in this field is used by the IdP as the initial part of the URL for sending the user's SAML assertion back to Domino.

Note: If SSL is not configured at Domino and you are using TFIM for the IdP, this setting would include http instead of https, for example: http://domino1.us.renovations.com.

Note: Usually, you can repeat the string you entered in the Service Provider ID field on the Basics tab. However, if you are setting up a partnership for the ID vault that is used for both Notes federated login and iNotes Web federated login, instead, use the fully qualified DNS name of the iNotes server's Web address (DNS hostname, or Internet site name) in a URL. For example: https://dom1.renovations.com.


d. In the Single logout URL field, enter a URL. Even if your IdP does not require or support a single logout, you should enter a syntactically correct URL so that the exported metadata file will have proper syntax. The TFIM IdP with SAML 2.0 configuration requires a single logout URL to be specified at the IdP and in the Domino metadata file, even though Domino does not currently implement a SAML 2.0 single logout feature.

An example of a logout URL is:

https://your_tfim_server.com/sps/samlTAM20/saml20

Note: This button is visible only when a previously created idp.xml file is not already attached.

Parent topic: Supporting federated login on the Notes client
Previous topic: Setting up the SAML identity provider and federation
Next topic: Configuring the ID vault for Notes federated login

Related tasks
Creating a Domino metadata file manually
Enabling the Domino Web server to provide SAML authentication
Configuring SAML from the Internet Site (Web Site) document

Related information
Supplementary information on Security Assertion Markup Language (SAML) configuration combinations of IBM Domino and other products

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Feedback on Help or Usability?

Help on Help