Skip to content

Configure Domino REST API as SAML identity provider

To be able to access encrypted resources, like emails or confidential documents in application databases, Domino REST API needs to be configured as a SAML identity provider.

There are two scenarios:

  • Domino REST API is the only identity provider (This feature is subject to a later code drop).
  • Domino REST API is an additional identity provider (This feature is subject to a later code drop).

About this task

As SAML is already available for you, the procedure guides you on adding Domino REST API as an Identity Provider and setting up websites to use an ID Vault via SAML.

The procedure guides you on configuring


  1. Open Domino Administrator. Go to Current Server Document and open Configuration tab. Make sure Load Internet configurations from Server\Internet Sites documents is enabled. Save and close.

    Load Internet Configuration

  2. From the left panel, select Web and then select Internet Sites. Click on Add Internet Site tab and select Web from the menu.

    Add Internet Site

    Now enter the following under Basics:

    • Organization Name (For example: Domino REST API)
    • Host names or addresses: Add your hostname.
    • Domino servers that host this site: Add your server name.

    Server Name

    Under Domino Web Engine tab, set Session authentication to SAML.

    Web Engine Tab

    Under Security tab, for TCP Authentication, disable Anonymous.

    TCP Authentication

    Save and close.

  3. Create an idpcat.nsf file using idpcat.ntf template. To do that, click File, go to Application and select New. In the New Application pop up, fill in the following details:

    • Server: Select your server from the dropdown.
    • Title: Give title as idpcat.
    • Template: Click on advanced template and select IdP catalog template.

    IdP Catalog

    Click OK. Now try to open the Idpconfig. To do that press ctrl+o, enter the name of the current server and file name as “idpcat.nsf”. Click Open.


    Click Add IdP Config. Under the Basics tab, add the following:

    • Host names or addresses mapped to this site: Add your host name.
    • Service provider ID: Add your server URL.
    • Single sign-on service URL:

    You should have descriptor.xml file on your machine. Import it here using Import XML file.


    Under Client Settings tab, set the following:

    • Enable Windows single sign-on: Yes
    • Enforce TLS: No

    Enforce TLS

    Under Certificate Management tab, click Company name. You should see Create SP Certificate button.


    Click Create SP Certificate. You will be prompted for Company name. Give a unique name. Also set the below field: Domino URL: Add your service URL.

    Click on Export SP XML and save ServiceProvider.xml for further use.

    Service Provider

    Save and close.

  4. Create ID Vault. Open Domino Administrator and expand ID Vaults on right hand side navigator.

    Expand ID Vaults

    Click on Create.... On the dialog that comes up, click on Next.

    Create ID Vault Dialog

    On the next screen, add ID vault name and click Next.

    ID Vault Name

    On the next screen, set your password and hit Next.

    ID Vault Password

    On the next screen, select the Vault server.

    Vault Server

    Add or remove administrators who can access vault.


    You can also add or remove organizations.


    You can specify who is authorized to reset passwords.

    Password Reset

    Click on Next and select Create a new policy assigned to specific people or groups.


    You can add or remove people who can add or edit ID vault policy settings.


    Set the hint for Forgotten Password Help.

    Password Hint

    Now by clicking on Create Vault, the vault will be created.

You now need to set up your ID Vault. Open your vault NSF (for example: IBMID_VAULT\testsaml.nsf). Click Open by selecting the file.

Navigate to Configuration tab, edit document and add the host address in Web federated login approved IDP configurations.