Link Search Menu Expand Document

KEEP SAML configuration

To be able to access encrypted resources, like emails or confidential documents in application databases, KEEP needs to be configured as a SAML identity provider.

There are two scenarios:

  • KEEP is the only identity provider (This feature is subject to a later code drop)
  • KEEP is an additional identiy provider (This feature is subject to a later code drop)

SAML is already available for you. You just need to add KEEP as an Identity Provider. Below is how you can do that and setup websites to use an ID Vault via SAML.

  1. Open Domino Administrator. Go to Current Server Document and open Configuration tab. Make sure Load Internet configurations from Server\Internet Sites documents is enabled. Save and close. Load Internet Configuration

  2. From the left panel, select Web and then select Internet Sites. Click on Add Internet Site tab and select Web from the menu. Add Internet Site

Now enter the following under Basics- Organization Name (For example: Project KEEP) Host names or addresses: Add your hostname Domino servers that host this site: Add your server Name. Server Name

Under Domino Web Engine tab, set Session authentication to SAML. Web Engine Tab

Under Security tab, for TCP Authentication, disable Anonymous. TCP Authentication

Save and close.

  1. Now you need to create idpcat.nsf file using idpcat.ntf template. To do that, click on File, go to Application and select New. In the New Application pop up, fill in the following details- Server: Select your server from the dropdown. Title: Give title as idpcat Template: Click on advanced template and select IdP catalog template. IdP Catalog

Click OK. Now try to open the Idpconfig. To do that press ctrl+o, enter the name of the current server and file name as “idpcat.nsf”. Click on Open. idpcat

Now click on _Add IdP Config. Under the **Basics tab, add the following: Host names or addresses mapped to this site: Add your host name Service provider ID: Add your server URL **Single sign-on service URL**:

You should have descriptor.xml file on your machine. Import it here using Import XML file. DescriptorXML

Under Client Settings tab, set the following:

  • Enable Windows single sign-on: Yes
  • Enforce TLS: No

Enforce TLS

Under Certificate Management tab, click on Company name. You should see Create SP Certificate button. CreateSPCertificate

Click on Create SP Certificate button. You will be prompted for Company name. Give a unique name. Also set the below field: Domino URL: Add your service URL

Now click on Export SP XML and save ServiceProvider.xml for further use. Service Provider

Save and close.

  1. Now we will create ID Vault. Open Domino Administrator and expand ID Vaults on right hand side navigator. Expand ID Vaults

Click on Create…. On the dialog that comes up, click on Next. Create ID Vault Dialog

On the next screen, add ID vault name and click Next. ID Vault Name

On the next screen, set your password and hit Next. ID Vault Password

On the next screen, select the Vault server. Vault Server

Add or remove administrators who can access vault. Administrator

You can also add or remove organizations. Organization

You can specify who is authorized to reset passwords. Password Reset

Click on Next and select Create a new policy assigned to specific people or groups. Policy

You can add or remove people who can add or edit ID vault policy settings. People

Set the hint for Forgotten Password Help. Password Hint

Now by clicking on Create Vault, the vault will be created.

You now need to set up your ID Vault. Open your vault NSF(For example: IBMID_VAULT\testsaml.nsf). Click on **_Open** by selecting the file.

Navigate to Configuration tab, edit document and add the host address in Web federated login approved IDP configurations.