You can generate a certificate to use to encrypt SAML assertions automatically from an
IdP configuration document.
About this task
You can use this procedure if the server ID file is not password protected and if you want to
create a new Internet Certificate in the server ID file. Otherwise, follow the procedure to generate
the certificate manually.
To complete this task, you must be listed (or belong to a group) in the Server document, in
Full Access Administrators >Administrators >
Sign or run unrestricted methods and operations.
Generate the certificate automatically with the Create Certificate button in the IdP
configuration document.
Note: Complete this procedure before you use the Export
XML button in an IdP configuration document to export the configuration to
theidp.xml file. Then, the certificate is automatically included in the Domino
metadata .xml file (idp.xml) that you import into the IdP.
- Open a Web server IdP configuration document or the ID vault server IdP configuration document
in idpcat.nsf.
- Click the Certificate Management tab.
- Enter a Company name field to identify the certificate in the Domino® metadata file (idp.xml) to be
exported. Use any string convenient to your administrators. You might use the name to indicate the Domino
server, for example Domino US Renovations, or a virtual name if representing one
particular Internet site configuration on the Domino
server, for example, Domino East Coast US Renovations.
Tip: The name
does not have to match anything in the actual IdP configuration. However, the string does have to be
compatible with the syntax of the idp.xml file; that is, it cannot include
characters such as angle brackets (< or >).
- Click Create Certificate. If prompted, save the document, return to the
tab, and click the button a second time.
When creating the certificate, Domino pre-pends "CN=" to
the string in the Company name field and uses this name as the certificate subject. The name may be
visible in the IdP configuration after the metadata file is imported.
- In the Domino URL field, enter a string to identify the fully qualified
DNS name in a URL of the Domino server. For example,
enter:
https://your_SAML_service_provider_hostname
The
string in this field is used by the IdP as the initial part of the URL for sending the user's SAML
assertion back to Domino.Note: If SSL is not configured at
Domino and you are using TFIM for the IdP, this setting
would include http instead of https, for example:
http://domino1.us.renovations.com.
Note: Usually, you can repeat the
string you entered in the Service Provider ID field on the
Basics tab. However, if you are setting up a partnership for the ID vault
that is used for both
Notes® federated login and iNotes® Web federated login, instead, use the fully qualified DNS name of the
iNotes server's Web address (DNS hostname, or Internet site
name) in a URL. For example: https://dom1.renovations.com.
- In the Single logout URL field, enter a URL. Even if your IdP does not
require or support a single logout, you should enter a syntactically correct URL so that the
exported metadata file will have proper syntax. The TFIM IdP with SAML 2.0 configuration requires a
single logout URL to be specified at the IdP and in the Domino metadata file, even though Domino does not
currently implement a SAML 2.0 single logout feature. An example of a logout URL for TFIM is:
https://your_tfim_server.com/sps/samlTAM20/saml20