Generating a certificate to encrypt SAML assertions

This is an optional configuration for Identity Providers that require encrypted assertions. Your organization may require SAML assertions to be encrypted if assertions include attributes that contain sensitive personal data, for example, social security numbers. Domino® encrypts entire SAML assertions; partial encryption of specific attributes is not available. The assertions are both signed and encrypted. Domino does not support signing only.

About this task

To encrypt SAML assertions, you must import the internet certificate for Domino in the server.id file. This step can be done automatically through the IdP configuration document. The automatic method is the easiest, but it is not always possible to use it. You must generate the certificate manually if any of the following conditions are true:
  • The server ID file of the Domino server is password protected.
  • You want to re-use an Internet certificate that already exists in the server ID file.
  • Signer of the IdP Catalog is not listed (or does not belong to a group) in the Server document, in Full Access Administrators >Administrators > Sign or run unrestricted methods and operations.
Note: You can create an Internet certificate by other methods, for example using the Domino® certificate authority (CA), as long as the Internet certificate key usage allows for signing.
Note: Complete this procedure before you export an IdP configuration to ServiceProvider.xml. That way, ServiceProvider.xml contains the certificate and it will be imported into your IdP with the other Domino configuration information.