Create an IdP Configuration document for Nomad federated login inidpcat.nsf.

Before you begin

Have the metadata .xml file that you exported from your IdP in a location from which you can access it so that you can import it into the IdP configuration document. For Active Directory Federation Services (ADFS), this file is typicallyFederationMetadata.xml

Note:

When you import the metadata .xml file, the file is attached to the IdP Configuration document and deleted from your local system.

About this task

The IdP Configuration document sets up a partnership between the Domino ID vault servers that Nomad users use and that act as Service Providers and your IdP which acts as the authenticating server for access to mail and other applications on the Domino servers.

During this task, you create the IdP Configuration document, import the metadata .xml file you exported previously from your IdP, complete the configuration, and export the configuration to a ServiceProvider.xml file.

Complete the following steps from an ID vault server:

Procedure

1. Open idpcat.nsf.

2. Click Add IdP Config to create a new configuration document.

3. In the Basics tab, Host names or addresses mapped to this site field, enter the following:

nomad.vault.<SafeLinxServerHost>

where<SafeLinxServerHost> is the host name of the Nomad (SafeLinx) server. For example:

nomad.vault.safelinx.renovations.com

Note: The nomad.vault. prefix is a requirement for the function of this feature. The value in this field does not resolve to a DNS host name.

5. In the Federation product field, selectAuthnRequest SAML 2.0 compatible.

6. Click Import XML file and select the metadata .xml file you exported from your IdP. In ADFS, this file name is typicallyFederationMetadata.xml.

The following information is imported from the .xml file into the IdP configuration document.

Table 1. Fields in the IdP Configuration document whose values are generated from the metadata . xml file

Field	Description
Single sign-on service URL	(Basics tab) The login URL for the federation service specified in the Federation product field. For example:https://adfs.renovations.com/adfs/ls/IdpInitiatedSignOn.aspx Note: The value in this field is a subset of the expected URL to the IdP. The Domino® server generates the full URL when necessary.
Signing X.509 certificate	(Advanced tab) X.509 certificate for signing, used to verify signatures in the assertion response from the IdP.
Encryption X.509 certificate	(Advanced tab) X.509 certificate for encryption used to send the IdP encrypted documents.
Protocol support enumeration	(Advanced tab) A string designating the SAML 2.0 protocol supported by the specified IdP. This string becomes part of authentication URLs provided by Domino as the service provider for the IdP. For example,urn.oasis.names.tc:SAML:2.0:protocol.

https://nomad.vault.<hostname>

where <hostname> is the host name of the ID vault server shown in the Fully qualified Internet host name field in the Server document in the Domino directory. For example:

https://nomad.vault.domino1.renovations.com

Note: The nomad.vault. prefix is a requirement for the function of this feature. While the value in this field has to be a properly constructed secure URL, it is not used for HTTPS connections and doesn't resolve to a DNS host name.

https://<SafeLinxServerHost>/SL_saml/login/nomadfl

where <SafeLinxServerHost> is the host name of the Nomad (SafeLinx) server. For example:

https://safelinx.renovations.com/SL_saml/login/nomadfl

10. On the Client Settings tab, complete the following fields:

a. In the Enable Windows single sign-on field, select No.

b. Leave the Enforce TLS field set toYes.

12. In the Certificate Management tab, complete the following steps. These steps create a Service Provider server certificate and keys for the ID vault server that will be used for secure communication with the IdP. The certificate and private key are added automatically to the ID vault server ID file.

Note: If the Domino vault server ID file is password-protected or already contains the certificate, complete this step manually. For more information, see Manually generating a certificate to encrypt SAML assertions.

a. Click Create SP Certificate.

b. In the Company name field, enter any name, for example, renovationsvault. When creating the certificate, Domino pre-pends "CN=" to the name in this field. This name becomes the certificate Subject Name.


Note: At this point, the new Service Provider certificate and key are added to the ID vault server ID file.

c. In the Domino URL field, specify the URL for the host name of the ID vault server. For example:

https://domino1.renovations.com

d. Click Export SP XML to create and save aServiceProvider.xml file. You will import the file into your IdP when you when you create the IdP relying party trust.

Results

The ServiceProvider.xml file is attached to the IdP Configuration document. The ID vault server certificate and key created in the procedure are added to the ID vault server ID file.

What to do next

• If there are other ID vault servers used by Nomad federated login, complete the procedure Adding the Service Provider server certificate and key to other vault server ID files.
• If there are no other ID vault servers, complete the procedure Setting up a Relying Party Trust for the ID vault server used by Nomad federated login.

  Adding the Service Provider server certificate and key to other vault server ID files
  If there are other ID vault servers in your Domino domain with replicas of the ID vault used for Nomad federated login, complete the following steps. These steps add the new Service Provider server certificate and key created in the previous procedure to the server ID files of those ID vault servers:

Help on Help

All Help Contents

Help on Help