Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Status Shipped
Workspace Domino
Categories Administration
Created by Guest
Created on Feb 22, 2019

Import the new certificate before AD start to use it in SAML without outage.

ADFS uses 2 tokens : token-signing and token-decryption certificate. Both are renewed periodically. IBM Domino relays on idpcat.nsf for SAML. It contains IDP config documents. Each IDP config document contains FederationMetadata.xml imported. ADFS renews it's certificates in advance and allows federation partners to prepare for use of new certificates.

IDP config document allows to import FederationMetadata.xml file. Once it is imported then SAML is working on Domino. However once ADFS generates new certificates then new FederationMetadata.xml should be imported. However Domino administrator cannot do that until ADFS starts using new certificate. Let's say ADFS will start using new certificates 2020.01.01 00:00 . In that case Domino will stop authenticate SAML users at 2020.01.01 00:00. It will do so until Domino administrator imports new FederationMetadata.xml . If there are more than 1 Domino server, let's say 10, then it will take about 1 hour for Domino administrator to import new FederationMetadata.xml to each IDP Config document and replicate changes to each server and restart HTTP of each server and test each server. So end users will not be able authenticate for 1 hour.

  • Attach files
  • Guest
    May 3, 2022

    Very much needed here as well!

  • Guest
    Dec 7, 2021

    Can you please implement this, today we had an outage at at big customer for several hours because of the issue,

  • Guest
    Sep 21, 2020

    Please improve this topic.

    See also related ticket

  • Guest
    Aug 20, 2019

    This is how it works with internet certificates in domino so it shouöd be very simple because this uses type of the same mechanism. 

  • Guest
    Feb 22, 2019

    It shoud be an easy fix for IBM:  instead of checking 1 public key to verify if ADFS packet is signed IBM could add the code to check 2 public keys. If at least one public key shows that packet is signed then it's signed. Public keys are imported to IDP Config document during FederationMetadata.xml import. During this import IBM could keep old data previously imported and allow to add new data.


Update Domino SAML IdP configuration when ADFS Token Signer Certificates has been changed

Once a year, ADFS must change it's Token Signer Certificate. 2 weeks before the expiration of it's old on, ADFS creates a second new one. Connected application will detect this second one and will change their configuration automatically. HCL Do...
about 3 years ago in Domino / Security 6 Shipped