To be able to access encrypted resources, like emails or confidential documents in application databases, KEEP needs to be configured as a SAML identity provider.
There are two scenarios:
- KEEP is the only identity provider (This feature is subject to a later code drop)
- KEEP is an additional identiy provider (This feature is subject to a later code drop)
SAML is already available for you. You just need to add KEEP as an Identity Provider. Below is how you can do that and setup websites to use an ID Vault via SAML.
Open Domino Administrator. Go to Current Server Document and open Configuration tab. Make sure Load Internet configurations from Server\Internet Sites documents is enabled. Save and close.
From the left panel, select Web and then select Internet Sites. Click on Add Internet Site tab and select Web from the menu.
Now enter the following under Basics- Organization Name (For example: Project KEEP) Host names or addresses: Add your hostname Domino servers that host this site: Add your server Name.
Under Domino Web Engine tab, set Session authentication to SAML.
Under Security tab, for TCP Authentication, disable Anonymous.
Save and close.
- Now you need to create idpcat.nsf file using idpcat.ntf template. To do that, click on File, goto Application and select New. In the New Application pop up, fill in the following details- Server: Select your server from the dropdown. Title: Give title as idpcat Template: Click on advanced template and select IdP catalog template.
Click OK. Now try to open the Idpconfig. To do that press ctrl+o, enter the name of the current server and file name as “idpcat.nsf”. Click on Open.
Now click on Add IdP Config. Under the **_Basics tab, add the following: Host names or addresses mapped to this site: Add your host name Service provider ID: Add your server URL Single sign-on service URL: https://keycloak.quattro.rocks/auth/realms/hcllabs/protocol/saml
You should have descriptor.xml file on your machine. Import it here using Import XML file.
Under Client Settings tab, set the following: Enable Windows single sign-on: Yes Enforce TLS: No
Under Certificate Management tab, click on Company name. You should see Create SP Certificate button.
Click on Create SP Certificate button. You will be prompted for Company name. Give a unique name. Also set the below field: Domino URL: Add your service URL
Now click on Export SP XML and save ServiceProvider.xml for further use.
Save and close.
- Now we will create ID Vault. Open Domino Administrator and expand ID Vaults on right hand side navigator.
Click on Create…. On the dialog that comes up, click on Next.
On the next screen, add ID vault name and click Next.
On the next screen, set your password and hit Next.
On the next screen, select the Vault server.
Add or remove administrators who can access vault.
You can also add or remove organizations.
You can specify who is authorized to reset passwords.
Click on Next and select Create a new policy assigned to specific people or groups.
You can add or remove people who can add or edit ID vault policy settings.
Set the hint for Forgotten Password Help.
Now by clicking on Create Vault, the vault will be created.
You now need to set up your ID Vault. Open your vault NSF(For example: IBM_ID_VAULT\testsaml.nsf). Click on Open by selecting the file.
Navigate to Configuration tab, edit document and add the host address in Web federated login approved IDP configurations.