Setting up a Relying Party Trust for the ID vault server

Set up a Relying Part Trust in Active Directory Federated Services (ADFS) for the Domino ID vault server. These procedures describe steps for ADFS 3.0 and ADFS 4.0.

About this task

This procedure applies to Active Directory Federation Services (ADFS). If you use Tivoli Federated Identity Manager (TFIM), you set up a partnership. For more information, see the article Cookbook: Setting up a new Partner on TFIM in the Notes and Domino wiki.

Procedure

  1. From ADFS, select Start > Administrative Tools > AD FS Management.
  2. Navigate to the Relying Party Trusts folder.
  3. Select Action > Add Relying Party Trust.
  4. Click Start to run the Add Relying Party Trust wizard.
  5. In the Select Data Source window select Import data about the relying party from a file, select the idp.xml file that you exported from the corresponding ID vault server IdP configuration document. Then, click Next.
    Note: When you import from the idp.xml file, values for Steps 6 - 10 are populated automatically. If you select Enter data about the relying party manually, you enter these values yourself.
  6. In the Select Display Name window, enter a Display name to represent the service provider, for example, Domino Renovations Vault. Click Next.
  7. In the Choose Profile window, select AD FS profile and click Next.
  8. In the Configure Certificate window, click Next.
  9. In the Configure URL window, select Enable support for the SAML 2.0 WebSSO protocol. For Relying party SAML 2.0 SSO service URL, enter the following URL:
    https://<host>/names.nsf?SAMLIDLogin
    where <host> is either a Web server or the ID vault server, depending on whether you use Web federated login:
    Table 1. Specifying the Relying party SAML 2.0 SSO service URL host name in the ID vault server Relying Party Trust
    If you use Web federated login If you use only Notes federated login
    Specify the DNS host name of a web server that will participate in federated login. For example:
    https://mail.us.renovations.com/names.nsf?SAMLIDLogin
    • Notice that the ending string of the URL is /names.nsf?SAMLIDLogin. This string is different than the ending string of the URL for a Web server Trust document, which is /names.nsf?SAMLLogin.
    • Specify a web server host name rather than the ID vault server host name. Doing so allows iNotes users to obtain credentials from the ID vault server for federated login.
    • The host name must match the host name that is included in the Host names or addresses mapped to this site field in the web server IdP configuration document you create. Do not use the host name specified in the ID vault server IdP configuration document.
    • You can specify only one web server host per Trust document.
    • If there are multiple Web server hosts behind a load balancer, specify the load balancer host name here. If there is no load balancer, repeat this procedure and create a separate Trust document for each web server.
    Specify the DNS host name of the Domino ID vault server that will participate in federated login. For example:
    https://vault.domino1.us.renovations.com/names.nsf?SAMLIDLogin
    • The host name must match the host name that is included in the Host names or addresses mapped to this site field in the ID vault server IdP configuration document you created.
    The following example shows a host name specified for a Web server when you use Web federated login: Relying party SAML 2.0 SSO service URL in the Configure URL window
  10. In the Configure Identifiers window, in the Relying party trust identifier field, enter a URL to identify the ID vault server, then click Add and Next.
    This URL must match the one that you specify in the Service provider ID field of the IdP configuration document for the ID vault server. For example: https://vault.domino1.us.renovations.com
    Note: This URL is used only as an identifier and not for HTTP connections.
    Relying party trust identifier in the Configure Identifiers window
  11. Click Next to skip the Configure Multi-factor Authentication Now? window.
  12. In the Choose Issuance Authorization Rules window, select Permit all users to access this relying party and click Next.
  13. In the Ready to Add Trust window, click Next.
  14. In the Finish window, select Open the Edit Claim Rules dialog for this replying party trust when the wizard closes and click Close.
  15. If the Edit Claim Rules dialog does not open when the wizard closes, right-click the name of the Relying Party Trust that you created, and select Edit Claim Rules...
  16. In the Edit Claim Rules dialog, click Add Rule.
  17. In the Select Rule Template dialog, for Choose Rule Type, select Send LDAP Attributes as Claims, and click Next.
  18. Complete the Configure Rule dialog box:
    1. For Claim rule name, enter EmailAddressToNameID.
    2. For Attribute store, select Active Directory.
    3. For LDAP Attribute, select E-Mail-Addresses.
    4. For Outgoing Claim Type, select Name ID.
    5. Click Finish.
  19. In the Edit Claim Rules dialog, click Apply and OK.
  20. In the AD FS Trust Relationships > Relying Party Trusts folder:
    1. Right-click the new relying party trust that you created for Domino and select Properties.
    2. Click the Endpoints tab.
    3. For SAML Assertion Consumer Endpoints, verify that there is a POST binding URL for Domino. In addition, if there is an Artifact binding URL, remove it because Domino only uses POST binding.
      Endpoints POST binding URL for Domino.