Welcome to the #dominoforever Product Ideas Lab! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated jointly by the IBM & HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino page.

Import the new certificate before AD start to use it in SAML without outage.

ADFS uses 2 tokens : token-signing and token-decryption certificate. Both are renewed periodically. IBM Domino relays on idpcat.nsf for SAML. It contains IDP config documents. Each IDP config document contains FederationMetadata.xml imported. ADFS renews it's certificates in advance and allows federation partners to prepare for use of new certificates.

IDP config document allows to import FederationMetadata.xml file. Once it is imported then SAML is working on Domino. However once ADFS generates new certificates then new FederationMetadata.xml should be imported. However Domino administrator cannot do that until ADFS starts using new certificate. Let's say ADFS will start using new certificates 2020.01.01 00:00 . In that case Domino will stop authenticate SAML users at 2020.01.01 00:00. It will do so until Domino administrator imports new FederationMetadata.xml . If there are more than 1 Domino server, let's say 10, then it will take about 1 hour for Domino administrator to import new FederationMetadata.xml to each IDP Config document and replicate changes to each server and restart HTTP of each server and test each server. So end users will not be able authenticate for 1 hour.

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Feb 22 2019
  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    22 Feb 13:58

    It shoud be an easy fix for IBM:  instead of checking 1 public key to verify if ADFS packet is signed IBM could add the code to check 2 public keys. If at least one public key shows that packet is signed then it's signed. Public keys are imported to IDP Config document during FederationMetadata.xml import. During this import IBM could keep old data previously imported and allow to add new data.