Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.
For more information and upcoming events around #dominoforever, please visit our Destination Domino Page
Import the new certificate before AD start to use it in SAML without outage.
ADFS uses 2 tokens : token-signing and token-decryption certificate. Both are renewed periodically. IBM Domino relays on idpcat.nsf for SAML. It contains IDP config documents. Each IDP config document contains FederationMetadata.xml imported. ADFS renews it's certificates in advance and allows federation partners to prepare for use of new certificates.
IDP config document allows to import FederationMetadata.xml file. Once it is imported then SAML is working on Domino. However once ADFS generates new certificates then new FederationMetadata.xml should be imported. However Domino administrator cannot do that until ADFS starts using new certificate. Let's say ADFS will start using new certificates 2020.01.01 00:00 . In that case Domino will stop authenticate SAML users at 2020.01.01 00:00. It will do so until Domino administrator imports new FederationMetadata.xml . If there are more than 1 Domino server, let's say 10, then it will take about 1 hour for Domino administrator to import new FederationMetadata.xml to each IDP Config document and replicate changes to each server and restart HTTP of each server and test each server. So end users will not be able authenticate for 1 hour.
Update Domino SAML IdP configuration when ADFS Token Signer Certificates has been changed
Once a year, ADFS must change it's Token Signer Certificate. 2 weeks before the expiration of it's old on, ADFS creates a second new one. Connected application will detect this second one and will change their configuration automatically.