|
|
|
IBM® Domino® 9.0 Social Edition provides support for federated-identity authentication using the SAML protocol.
Note Part of a complete SAML-based solution for Domino requires working in other environments. This wiki article is meant to supplement the information on SAML in the IBM Domino 9.0 Social Edition Administrator Help. For basic information, see the following two Help topics:
Using Security Assertion Markup Language (SAML) to configure federated-identity authentication
Choosing a federation to configure as your identity provider (IdP)
This article documents using both IBM Domino and IBM Tivoli®.
1. Launch the TFIM console.
2. View of main console.
3. Select Federation
- Select the radio button next to the appropriate federation, and click Next to get to the following screen:
4. Create a new Partner,
- Expand the left-hand menu item Tivoli Federated Identify Manager - Configure Federated Single Sign-On and click Partners to get to the following screen.
- Click the Create button to create a new Partner.
5. Metadata Options
- For SAML 1.1, there are two options for supplying metadata, manual or import. If you choose to the manual option, proceed with Steps 6 - 16.
- For SAML 2.0 there is ONLY the option to import the metadata from the IDP.XML file you created on the Domino Server. For import instructions, proceed to Steps 17 - 27.
6. SAML 1.1 - Manual Entry of Metadata.
- Select Enter SAML settings manually.
- Click Next.
7. Contact Information
- Enter, at minimum, a Service Provider Company Name. This is information-only data that describes the Domino Server as the service provider.
- Click Next
8. Message Settings.
- Using the DNS hostname of your Domino server, Enter the Provider ID - http://your_Domino_server_name.com
- Enter the Assertion Consumer Service http://your_Domino_server_name.com/SAMLTest.nsf?SAMLLogin. You MUST add the string "/SAMLTest.nsf?SAMLLogin" as shown,
- Check off the option for Partner uses HTTP POST profile for Single Sign-On
- Click Next
Note: The provider ID will show up in the SAML protocol.
9. Signatures.
- Click Next on the following screen,
10. Configure Security Token.
- Select the Keystore you chose when configuring the Federation.
- Enter the Keystore Password.
- Click List Keys.
- Select a Key.
- Click Next
11. Identity Mapping Options.
- Select Use XSL or Javascript transformation for identity mapping.
- Click Next.
12. Identity Mapping.
- The rule was already selected when you created the Federation, so you can leave this blank.
- Click Next.
13. Summary.
14. Enable Partner
- Before reloading the configuration, click on the button for Enable Partner.
15. Reload Configuration.
- Click the Load Configuration Changes warning message.
16. Manual Partner Configuration is Complete.
17. SAML 1.1/2.0 - Import Metadata.
- If using SAML 1.1, Select Import Metadata
- Otherwise, enter the path and filename of the IDP.XML file you created on the Domino Server either via the server console or via the idpcat document.
Note: Make sure you have mapped a local drive to this location on the TFIM server before browsing.
- Click Next.
18, Signature Validation
- Select Typical set of incoming SAML messages and assertions are signed.
- Select the DefaultKeyStore or the keystore you set up when creating the federation.
- Enter the Keystore Password
- Click Next.
19, Artifact Resolution
- This is NOT supported for the 9.0 release of Domino,
- Click Next.
20. Partner Settings
- Use can use the defaults or change,
- Click Next
21. Assertion Settings
- Use default asterisk.
- Click Next.
22. Identity Mapping Options.
- Select Use XSL or JavaScript transformation for identity mapping
- Click Next.
23. Identity Mapping.
- The rule was already selected when you created the Federation, so you can leave this blank.
- Click Next.
24. Summary.
25. Enable Partner
- Before reloading the configuration, click on the button for Enable Partner.
26. Reload Configuration.
- Click the Load Configuration Changes warning message.
27. Partner Configuration is Complete.
|