HCL Notes and Domino wiki: Domino security: Encrypting SAML assertions

Encrypting SAML assertions

Added by ~Sven Refoomanettu on April 30, 2013 | Version 1

Actions ▼

Abstract

Abstract

No abstract provided.

Tags: 9.0, SAML

Setting up encrypted assertions
Your organization may require SAML assertions to be encrypted if assertions include attributes that contain sensitive personal data, for example, social security numbers.

IBM Domino® 9.0 Social Edition encrypts entire SAML assertions; partial encryption of specific attributes is not available.

You can create a key to use for encrypting assertions. Store this key in the Domino server.id file.

Note The key can be the same key as the one used for creating the signed SAML certificate. For more information, see the steps on filling out the Certificate Management tab in the IDP Configuration document, described in the Domino 9.0 Social Edition Help topic Enabling the Domino Web server to provide SAML authentication.

Setting up encrypted assertions in TFIM

Procedure for TFIM (IBM Tivoli® Federated Information Manager)

1. When adding a partner to the IdP, under Encryption Key Identifier, select the key to be used to encrypt the assertion. You may need to enter the Keystore Password to see the listed keys.

2. Under the subsection Encryption Options, select Encrypt Assertion.

3. Under the subsection Encryption Algorithm, select the encryption algorithm to use.

Note In the Domino 9.0 Social Edition release, the supported encryption algorithms for TFIM are AES-128, AES-192, AES-256, and 3DES (also called TripleDES).

4. Apply the changes.

Setting up encrypted assertions in ADFS

Procedure for ADFS (Active Directory Federated Services)

1. Select the service provider for which you want to encrypt assertions. Right-click and select Properties.

2. On the Encryption tab, click Browse to select the certificate (.cer, .sst, or .p7b file) to use, and apply the changes.

3. If you do not have a file containing the certificate and you are using the same key for encryption as you are for signing, you can export the certificate used for signing and then import it to use for encryption within ADFS.

Exporting the signed certificate

1. Change to the Signature tab. The certificate should be selected. Then click View. In the new window, on the Details tab, click Copy to File.

2. Click Next twice.

3. Select a location and file name for saving the certificate.

4. Click Next and Finish.

Importing the certificate to use for encryption

1. On the Encryption tab, click Browse, select the certificate you exported to use for encryption, and click Open.

2. Apply the changes.