Creating a Web server IdP configuration document

Create an IdP configuration document for Web servers that will participate in SAML authentication.

Before you begin

Have the metadata .xml file that you exported from your IdP, for example FederationMetadata.xml, in a location from which you can access it so that you can import it into the IdP configuration document.
Note: If you will create another IdP configuration document, for example, for federated login with the ID vault, make a backup copy of the file; when you import the .xml file into the IdP configuration document, the .xml file is deleted from your local system.

About this task

If your Web servers are behind a load balancer or IP sprayer, create one Web server IdP configuration document. Your IdP will connect to the load balancer or IP sprayer. If your Web servers are not behind a load balancer or IP sprayer, create a separate IdP configuration document for each Web server.

Procedure

  1. Open idpcat.nsf.
  2. Click Add IdP Config to create a new configuration document.
  3. In the Basics tab, IdP name field, enter a name to identify the Web site of the identity provider; the name does not have to be exact, and is only for your administrative convenience.
    For example, if the Renovations organization has a support site hosted by a third party who will serve as an identity provider, using the IBM® Tivoli® Federated Identity Manager, the administrator might enter Renovations Customer Support (TFIM).
  4. In the Basics tab, Protocol version field, select a SAML version.
    Important: SAML 2.0 is required if your federation is configured on ADFS.
  5. In the Federation product field, select either TFIM for Tivoli® Federated Identity Manager or ADFS for Active Directory Federation Services, depending on which federation service you intend to use for SAML authentication.
  6. If you selected SAML 2.0, click Import XML file and select the metadata .xml file you exported from your IdP. In ADFS, this file name is typically FederationMetadata.xml.
    The following information is imported from the .xml file; do not modify it.
    Table 1. Fields in the IdP Configuration document whose values are generated from the metadata .xml file
    Field Description
    Artifact resolution service URL Domino® generates the artifact URL for the federation service you specified in the Product field.

    For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following artifact URL might be generated: https://tfim.renovations.com/FIM/sps/samlTAM20/soap.
    Single sign-on service URL If the data is available in the imported XML file, Domino® generates the login URL for the federation service you specified in the Product field.

    For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following login URL might be generated: https://tfim.renovations.com/FIM/sps/samlTAM20/logininitial.

    Note: The value in this field is a subset of the expected URL to the IdP. The Domino® server generates the full URL when necessary.
    Signing X.509 certificate Domino® imports the certificate code from file.
    Encryption X.509 certificate

    Domino® imports the certificate code from file.

    Note: This field appears only when the Type field is set to SAML 2.0.
    Protocol support enumeration Domino® generates a string designating the protocol(s) for the SAML release specified in the Type field that are also supported by the specified IdP. This string will become part of authentication URLs provided by Domino® as the service provider to the IdP specified in this configuration document.

    For example, url.oasis.names.tc:SAML:2.0:protocol.
  7. In the Basics tab > Host names or addresses mapped to this site field, configure the Web server DNS host name or host names.
    Restriction: If your Domino® Web server is using SSL, you must include an IP address after each host name, separated by a semicolon.
    Important: The host names you enter here should match what is entered in either the Host name(s) field on the Internet Protocols/HTTP tab in a Server document or the Host names or addresses mapped to this site field of an Internet Site (Web Site) document.

    For example, enter mail01.us.renovations.com;n.nn.nnn.n.

    If you use a load balancer to distribute requests across servers, include the host name and IP address for the load balancer as well as the host names and IP addresses of the target Web servers. Separate the servers with semi-colons or press Enter. For example:

    mail.us.renovations.com;n.nn.nnn.n
    mail01.us.renovations.com;n.nn.nnn.n
    mail02.us.renovations.com;n.nn.nnn.n

  8. Leave State for this Configuration document as Enabled (the default).
  9. In the Service provider ID field, enter a value to identify the web servers as service provider partner with the IdP.
    • This value has to be a properly constructed URL but it isn't used for HTTP connections.
    • If you are using SSL (required for ADFS), specify https: in the URL.
    • This value must match the value in the IdP trust or partnership that you will create to identify the web server. For example, in ADFS, this value must match the value specified in the Relying party trust identifiers box in the Relying Party Trust.
    For example: https://mail.us.renovations.com.
  10. Save and close the IdP configuration document.
    Tip: Saving the IdP configuration document enables the configuration which can cause HTTP servers to attempt to use SAML before you have completed SAML configuration. To prevent this behavior, open the configuration document and select Disabled. And then enable it again after SAML configuration is complete.
  11. Optional: If you want to ensure that SAML assertions are encrypted to help protect sensitive data, complete the task Generating a certificate to encrypt SAML assertions. Complete it before you complete the task Exporting the Domino web configuration to idp.xml file, so that the certificate is included in the idp.xml file.