Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino security > Cookbook: Setting up new Relying Party Trust for AD FS 2.0
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

Technote: Domino On-Premise SAML Console Error: Server reported the following problem causing authentication to fail: User's policy does not allow password authentication with the ID vault. Password has not been reset.

Problem: An error is returned on the Domino server console: "Server reported the following problem causing authentication to fail: User's policy does not allow password authentication with the ID vault. Password has not been reset.". Condition: This error is returned when a Notes Federated Login ...

SAML Technote for: Creating a Domino metadata file manually

The following notes apply to the SAML topic: Creating a Domino metadata file manually, found in the IBM® Domino® Administrator Help, IBM Domino 9.0.1 Social Edition. The "company name" you use when creating the Domino metadata(xml) file is case sensitive, If the correct case is not used, when ...

Cookbook: Setting up a new partner on TFIM

IBM® Domino® 9.0 Social Edition provides support for federatedidentity authentication using the SAML protocol. Note Part of a complete SAMLbased solution for Domino requires working in other environments. This wiki article is meant to supplement the information on SAML in the IBM Domino 9.0 ...

Cookbook: Setting up a new Federation on TFIM 1.1

IBM® Domino® 9.0 Social Edition provides support for federatedidentity authentication using the SAML protocol. Note Part of a complete SAMLbased solution for Domino requires working in other environments. This wiki article is meant to supplement the information on SAML in the IBM Domino 9.0 ...

Cookbook: Setting up a new Federation on TFIM 2.0

IBM® Domino® 9.0 Social Edition provides support for federatedidentity authentication using the SAML protocol. Note Part of a complete SAMLbased solution for Domino requires working in other environments. This wiki article is meant to supplement the information on SAML in the IBM Domino 9.0 ...
Community articleCookbook: Setting up new Relying Party Trust for AD FS 2.0
Added by ~Denise Ekgerovitchlen | Edited by ~Wendy Quethipilyynds on June 17, 2013 | Version 9
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
No abstract provided.
Tags: 9.0, SAML

IBM® Domino® 9.0 Social Edition provides support for federated-identity authentication using the SAML protocol.

Note Part of a complete SAML-based solution for Domino requires working in other environments. This wiki article is meant to supplement the information on SAML in the IBM Domino 9.0 Social Edition Administrator Help. For basic information, see the following two Help topics:

Using Security Assertion Markup Language (SAML) to configure federated-identity authentication

Choosing a federation to configure as your identity provider (IdP)





On Microsoft Active Directory Federation Service (ADFS), you use SAML 2.0, and instead of a "partner," you configure a Relying Party Trust.

Note The Domino server you use with ADFS must be configured for SSL.

To configure ADFS for SAML 2.0:

1. Run the ADFS console by selecting Start->Administrative Tools-> AD FS 2.0 Management..

2. Navigate to the Relying Party Trusts folder.

3. From the menu, select Action > Add Relying Party Trust.




4. Click Start



5. If you do not have a Domino metadata file, select Enter data about the relying party manually, and click Next.

If you have a Domino metadata file to import, you can select Import data about the relying party from a file. Importing from file handles the set up for Display Name, Profile, Certificate, URL, and Identities steps.




6. Enter a Display name to represent the Domino service provider, and click Next.



7. Select AD FS 2.0 profile, and click Next.



8. Click Next again.



9. Select Enable support for the SAML 2.0 WebSSO protocol, enter the Relying party SAML 2.0 SSO service URL, and click Next.
Tip: Use the URL shown here, with the name of your Domino internet site (or Domino server hostname) substituted for renovations.com.



10. Enter a string in the Relying party trust identifier field at the top of the dialog box. (After you enter the string and click Add, your entry will appear in the list below.)
Note: This string needs to match the value in the Service provider ID field located in the Domino IdPCat configuration document in the IdP Catalog database. A good choice would be Service provider ID=https://your_server.com.
Then, click Next.



11. Select Permit all users to access this replying party, and click Next.



12. Click Next again.



13. Select Open the Edit Claim Rules dialog for this replying party trust when the wizard closes, and click Close.



14. If the Edit Claim Rules dialog does not open when the wizard closes, right-click the name of the Relying Party Trust you have created, and select Edit Claim Rules...



15. Click Add Rule.



16. Select Send LDAP Attributes as Claims, and click Next.



17. In the following dialog box:
  • Enter EmailAddressToNameID for the Claim rule name.
  • Select Active Directory from the Attribute store list.
  • Select E-Mail-Addresses for the LDAP Attribute.
  • Select Name ID for the Outgoing Claim Type.
  • Click Finish.



18. Click Apply and then click OK.



19. Right-click the new Relying Party Trust, and select Properties



Particularly if you have used a Domino metadata import file, check the Endpoints tab. The Domino server uses the POST Binding, which should appear in the list of SAML Assertion Consumer Endpoints. Domino server does not use an Artifact Binding, so if it exists in the list, you can remove it.





20. Navigate to AD FS 2.0 > Service and select Endpoints.



21. Locate the endpoint with Type set to Federation Metadata and take note of the URL. In the example screenshot the URL is /FederationMetadata/2007-06/FederationMetadata.xml




22. Download the federation metadata for the IdP by accessing that URL on your localhost – https://localhost/FederationMetadata/2007-06/FederationMetadata.xml.
Note: This metadata file contains the information needed for Domino to accept SAML assertions. This is the file that will be imported into the IdPCat Configuration document on the Domino server. Save the file in a location accessible for copying the file to the Domino server.

23. Test the login.


Note: You must have completed the IdPCat configuration in Domino before you can run the login test.

From a browser, enter a URL to the Domino server configured as the Service Provider above and a database such as names.nsf
Example: http://your_domino_server.com/testdb.nsf

You should see the following ADFS login screen.



  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (9)Jun 17, 2013, 3:09:56 PM~Wendy Quethipilyynds  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility