#dominoforever | Product Ideas Portal

 

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Import the new certificate before AD start to use it in SAML without outage.

ADFS uses 2 tokens : token-signing and token-decryption certificate. Both are renewed periodically. IBM Domino relays on idpcat.nsf for SAML. It contains IDP config documents. Each IDP config document contains FederationMetadata.xml imported. ADFS renews it's certificates in advance and allows federation partners to prepare for use of new certificates.

IDP config document allows to import FederationMetadata.xml file. Once it is imported then SAML is working on Domino. However once ADFS generates new certificates then new FederationMetadata.xml should be imported. However Domino administrator cannot do that until ADFS starts using new certificate. Let's say ADFS will start using new certificates 2020.01.01 00:00 . In that case Domino will stop authenticate SAML users at 2020.01.01 00:00. It will do so until Domino administrator imports new FederationMetadata.xml . If there are more than 1 Domino server, let's say 10, then it will take about 1 hour for Domino administrator to import new FederationMetadata.xml to each IDP Config document and replicate changes to each server and restart HTTP of each server and test each server. So end users will not be able authenticate for 1 hour.

  • Guest
  • Feb 22 2019
  • Needs review
  • Attach files
  • Guest commented
    21 Sep, 2020 03:00pm

    Please improve this topic.

    See also related ticket https://domino-ideas.hcltechsw.com/ideas/DOMINO-I-1146

  • Guest commented
    20 Aug, 2019 07:24pm

    This is how it works with internet certificates in domino so it shouöd be very simple because this uses type of the same mechanism. 

  • Guest commented
    22 Feb, 2019 01:58pm

    It shoud be an easy fix for IBM:  instead of checking 1 public key to verify if ADFS packet is signed IBM could add the code to check 2 public keys. If at least one public key shows that packet is signed then it's signed. Public keys are imported to IDP Config document during FederationMetadata.xml import. During this import IBM could keep old data previously imported and allow to add new data.