Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Status Under Consideration
Workspace Domino
Categories Security
Created by Guest
Created on Jan 30, 2020

Update Domino SAML IdP configuration when ADFS Token Signer Certificates has been changed

Once a year, ADFS must change it's Token Signer Certificate. 2 weeks before the expiration of it's old on, ADFS creates a second new one. Connected application will detect this second one and will change their configuration automatically. 

HCL Domino doesn't have that capability. 

 

Please add this functionality in Domino.

 

If you don't update your configuration when this Token Signer Certificates changes, the Notes Clients and Webusers cannot use SAML anymore for SSO and receive an error: "Document has been modified or corrupted since signed! (signature)".


On the SAML log you see: "SECCheckAndParseSAMLResponse> Exiting : Document has been modified or corrupted since signed! (signature)"

  • Attach files
  • Guest
    Reply
    |
    Feb 7, 2021

    Jep. Just two more customers to add to the list that experience this...

  • Guest
    Reply
    |
    Sep 21, 2020

    Got the same problem today, so we run into trouble for several hours without SSO.

    Checking by set config debug_saml=31 shows the problem.

    Thanks to a google search I found this helpful topic here. Thanks!

    By contacting the customer ADFS administrator, I got the confirmation that ADFS Server has two new certificates for token decryption and token signature by autorenewal.

    Exactly two weeks before the old certificate expires, the ADFS uses the new certificates primarly and the old certificates secondary. At this point the Domino SSO with SAML didn't works anymore.

    After getting and importing the new FederationMetadata.xml file into IDP-Catalog and restarting servers, the problem was fixed.

    Please improve this topic.

    How is it posssible to check expiration date of certificates in advance on Domino Server site by administration?

  • Guest
    Reply
    |
    Aug 10, 2020

    My customer just experienced this, no users could login for several hours.

  • Guest
    Reply
    |
    Jan 31, 2020

    Not having this feature means operational risk of uncontrolled service outages for all Domino applications, which are enabled for ADFS SSO. Suddenly all at once.

    In this situation, the Domino applications themselves are still running, but if users can't login, we should be calling it a service outage.

     

    [Toni Feric, Belsoft Collaboration]

  • Guest
    Reply
    |
    Jan 30, 2020

    Also discovered that we could not import the new one because ADFS delivers 2 certificates in the metadata.xml. You have to remove the second one before importing it into idspcat.nsf.

  • Guest
    Reply
    |
    Jan 30, 2020

    Yes and Yes! :-)