Manually generating a certificate to encrypt SAML assertions

If the Domino® server.id file has a password, you as the administrator must create the SAML metadata file and the certificate file manually; the Create SP Certificate button in the IdP Catalog application cannot be used. You must also create the metadata file manually if you intend to verify SAML assertions using an Internet certificate that already exists in the server ID file.

Procedure

  1. Edit the Domino server NOTES.INI file and enter the following required settings:
    SAMLAuthVersion=value

    Where the values are:

    1 - for SAML 1.1

    2 - for SAML 2.0

    SAMLUrl=https://your_SAML_service_provider_hostname
    For example, https://domino1.us.renovations.com
    Note: If your Domino server will not be enabled for SSL (required with an ADFS IdP, but not with a TFIM IdP), then this URL must start with http instead of https, for example, http://domino1.us.renovations.com
    SAMLSloUrl=https://iti-ws2.renovations.com/sps/samlTAM20/saml20

    If your federation is IBM® Tivoli® Federated Identity Manager, this setting specifies the log-out URL. If your federation does not require or support a log-out URL, you should still enter a URL like the one in the preceding example, to ensure proper syntax for the export metadata.

  2. If the server ID file already has an Internet certificate that can be used, this step is optional. At the Domino server console on the Domino server, enter the following command to create the certificate. if the company name is more than one word, enclose the name in quotation marks (") as shown:
    certmgmt create saml [overwrite][company "Renovations Home Improvement"]
    Note: If you do not specify a company, then the default SAML Signing is used.
  3. Take note of the public key hash that displays on the console when you issued the certmgmt create saml command. The key is the string that follows public key hash=. In the following example, the key is v6i9TOz7zP9GBCXxtrz+KA== 
    Certificate created, public key hash=v6i9TOz7zP9GBCXxtrz+KA==
  4. Edit the Domino server NOTES.INI file again and enter the following required setting, using the hash key you noted in step 3:
    SAMLPublicKeyHash=your_hash_key
    Tip: If you do not have a note of the hash key – for example, you are not the administrator who performed the previous steps, or if you want to use a different existing certificate – you can use the CERTMGMT SHOW ALL command to display the key.
  5. Enter the following NOTES.INI setting, using any string convenient to your administrators:
    SAMLCompanyName=your_organization_name
    The text you enter for your_organization_name must match the company name as supplied in step 2 when you created the certification (certmgmt create saml). Alternatively your_organization_name can match the Subject Name that displays when you issued the CERTMGMT SHOW ALL command. If no company name was supplied in step 2, then use SAML Signing for the value of SAMLCompanyName, for example:
    SAMLCompanyName=SAML Signing
  6. Enter the following command to generate a metadata .XML file (for example, tfim-meta.xml for TFIM) to import into your federation: 
    certmgmt export saml xml filename.xml
  7. Copy the exported certificate file to a location from where you can import it into the IdP configuration document you are configuring.
  8. Open the appropriate IdP configuration document. On the Certificate Management tab, under Certificate management settings, copy and paste the public key hash used in previous steps into the field Certificate public key hash value (base 64).

What to do next

Export the Web server IdP configuration or ID vault server IdP configuration to idp.xml.