Creating an IdP Configuration document for Nomad federated login

Create an IdP Configuration document for Nomad federated login in idpcat.nsf.

Before you begin

Have the metadata .xml file that you exported from your IdP in a location from which you can access it so that you can import it into the IdP configuration document. For Active Directory Federation Services (ADFS), this file is typically FederationMetadata.xml

Note:

When you import the metadata .xml file, the file is attached to the IdP Configuration document and deleted from your local system.

About this task

The IdP Configuration document sets up a partnership between the Domino ID vault servers that Nomad users use and that act as Service Providers and your IdP which acts as the authenticating server for access to mail and other applications on the Domino servers.

During this task, you create the IdP Configuration document, import the metadata .xml file you exported previously from your IdP, complete the configuration, and export the configuration to a ServiceProvider.xml file.

Complete the following steps from an ID vault server:

Procedure

  1. Open idpcat.nsf.
  2. Click Add IdP Config to create a new configuration document.
  3. In the Basics tab, Host names or addresses mapped to this site field, enter the following: 
    nomad.vault.<SafeLinxServerHost>
    where <SafeLinxServerHost> is the host name of the Nomad (SafeLinx) server. For example: 
    nomad.vault.safelinx.renovations.com
    Note: The nomad.vault. prefix is a requirement for the function of this feature. The value in this field does not resolve to a DNS host name.
  4. In the Protocol version field, select SAML 2.0.
  5. In the Federation product field, select AuthnRequest SAML 2.0 compatible.
  6. Click Import XML file and select the metadata .xml file you exported from your IdP. In ADFS, this file name is typically FederationMetadata.xml.
    The following information is imported from the .xml file into the IdP configuration document.
    Table 1. Fields in the IdP Configuration document whose values are generated from the metadata . xml file
    Field Description
    Single sign-on service URL (Basics tab) The login URL for the federation service specified in the Federation product field. For example: https://adfs.renovations.com/adfs/ls/IdpInitiatedSignOn.aspx
    Note: The value in this field is a subset of the expected URL to the IdP. The Domino® server generates the full URL when necessary.
    Signing X.509 certificate (Advanced tab) X.509 certificate for signing, used to verify signatures in the assertion response from the IdP.
    Encryption X.509 certificate (Advanced tab) X.509 certificate for encryption used to send the IdP encrypted documents.
    Protocol support enumeration (Advanced tab) A string designating the SAML 2.0 protocol supported by the specified IdP. This string becomes part of authentication URLs provided by Domino® as the service provider for the IdP.

    For example, urn.oasis.names.tc:SAML:2.0:protocol.
  7. In the Service Provider ID field, specify: 
    https://nomad.vault.<hostname>
    where <hostname> is the host name of the ID vault server shown in the Fully qualified Internet host name field in the Server document in the Domino directory. For example: 
    https://nomad.vault.domino1.renovations.com
    Note: The nomad.vault. prefix is a requirement for the function of this feature. While the value in this field has to be a properly constructed secure URL, it is not used for HTTPS connections and doesn't resolve to a DNS host name.
  8. The Nomad Postback URL field is now shown. Specify the following information in this field. This configuration allows the vault server acting as a Service Provider to send SAML assertions to the Nomad server, which then communicates with the ID vault as a client to get the ID file for the user: 
    https://<SafeLinxServerHost>/SL_saml/login/nomadfl
    where <SafeLinxServerHost> is the host name of the Nomad (SafeLinx) server. For example: 
    https://safelinx.renovations.com/SL_saml/login/nomadfl
  9. In the Client Settings tab, in the Enable Windows single sign-on field, select No.
  10. On the Client Settings tab, complete the following fields:
    1. In the Enable Windows single sign-on field, select No.
    2. Leave the Enforce TLS field set to Yes.
  11. Save the new IdP Configuration document.
  12. In the Certificate Management tab, complete the following steps. These steps create a Service Provider server certificate and keys for the ID vault server that will be used for secure communication with the IdP. The certificate and private key are added automatically to the ID vault server ID file.
    Note: If the Domino vault server ID file is password-protected or already contains the certificate, complete this step manually. For more information, see Manually generating a certificate to encrypt SAML assertions.
    1. Click Create SP Certificate.
    2. In the Company name field, enter any name, for example, renovationsvault. When creating the certificate, Domino pre-pends "CN=" to the name in this field. This name becomes the certificate Subject Name.
      Note: At this point, the new Service Provider certificate and key are added to the ID vault server ID file.
    3. In the Domino URL field, specify the URL for the host name of the ID vault server. For example: 
      https://domino1.renovations.com
    4. Click Export SP XML to create and save a ServiceProvider.xml file. You will import the file into your IdP when you when you create the IdP relying party trust.
  13. Replicate the idpcat.nsf to all Domino servers that your Nomad users use, including ID vault servers, mail servers, and application servers.

Results

The ServiceProvider.xml file is attached to the IdP Configuration document. The ID vault server certificate and key created in the procedure are added to the ID vault server ID file.

What to do next