#dominoforever | Product Ideas Portal

 

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Update Domino SAML IdP configuration when ADFS Token Signer Certificates has been changed

Once a year, ADFS must change it's Token Signer Certificate. 2 weeks before the expiration of it's old on, ADFS creates a second new one. Connected application will detect this second one and will change their configuration automatically. 

HCL Domino doesn't have that capability. 

 

Please add this functionality in Domino.

 

If you don't update your configuration when this Token Signer Certificates changes, the Notes Clients and Webusers cannot use SAML anymore for SSO and receive an error: "Document has been modified or corrupted since signed! (signature)".


On the SAML log you see: "SECCheckAndParseSAMLResponse> Exiting : Document has been modified or corrupted since signed! (signature)"

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Jan 30 2020
  • Likely to implement
  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    21 Sep 02:57pm

    Got the same problem today, so we run into trouble for several hours without SSO.

    Checking by set config debug_saml=31 shows the problem.

    Thanks to a google search I found this helpful topic here. Thanks!

    By contacting the customer ADFS administrator, I got the confirmation that ADFS Server has two new certificates for token decryption and token signature by autorenewal.

    Exactly two weeks before the old certificate expires, the ADFS uses the new certificates primarly and the old certificates secondary. At this point the Domino SSO with SAML didn't works anymore.

    After getting and importing the new FederationMetadata.xml file into IDP-Catalog and restarting servers, the problem was fixed.

    Please improve this topic.

    How is it posssible to check expiration date of certificates in advance on Domino Server site by administration?

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    10 Aug 09:16am

    My customer just experienced this, no users could login for several hours.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    31 Jan 03:05pm

    Not having this feature means operational risk of uncontrolled service outages for all Domino applications, which are enabled for ADFS SSO. Suddenly all at once.

    In this situation, the Domino applications themselves are still running, but if users can't login, we should be calling it a service outage.

     

    [Toni Feric, Belsoft Collaboration]

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    30 Jan 01:21pm

    Also discovered that we could not import the new one because ADFS delivers 2 certificates in the metadata.xml. You have to remove the second one before importing it into idspcat.nsf.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    30 Jan 09:37am

    Yes and Yes! :-)