Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.
For more information and upcoming events around #dominoforever, please visit our Destination Domino Page
Jep. Just two more customers to add to the list that experience this...
Got the same problem today, so we run into trouble for several hours without SSO.
Checking by set config debug_saml=31 shows the problem.
Thanks to a google search I found this helpful topic here. Thanks!
By contacting the customer ADFS administrator, I got the confirmation that ADFS Server has two new certificates for token decryption and token signature by autorenewal.
Exactly two weeks before the old certificate expires, the ADFS uses the new certificates primarly and the old certificates secondary. At this point the Domino SSO with SAML didn't works anymore.
After getting and importing the new FederationMetadata.xml file into IDP-Catalog and restarting servers, the problem was fixed.
Please improve this topic.
How is it posssible to check expiration date of certificates in advance on Domino Server site by administration?
My customer just experienced this, no users could login for several hours.
Not having this feature means operational risk of uncontrolled service outages for all Domino applications, which are enabled for ADFS SSO. Suddenly all at once.
In this situation, the Domino applications themselves are still running, but if users can't login, we should be calling it a service outage.
[Toni Feric, Belsoft Collaboration]
Also discovered that we could not import the new one because ADFS delivers 2 certificates in the metadata.xml. You have to remove the second one before importing it into idspcat.nsf.
Yes and Yes! :-)