Setting up encrypted assertions
Your organization may require SAML assertions to be encrypted if assertions include attributes that contain sensitive personal data, for example, social security numbers.
IBM Domino® 9.0 Social Edition encrypts entire SAML assertions; partial encryption of specific attributes is not available.
You can create a key to use for encrypting assertions. Store this key in the Domino server.id
The key can be the same key as the one used for creating the signed SAML certificate. For more information, see the steps on filling out the Certificate Management tab in the IDP Configuration document, described in the Domino 9.0 Social Edition Help topic Enabling the Domino Web server to provide SAML authentication
Setting up encrypted assertions in TFIM
Procedure for TFIM (IBM Tivoli® Federated Information Manager)
1. When adding a partner to the IdP, under Encryption Key Identifier
, select the key to be used to encrypt the assertion. You may need to enter the Keystore Password to see the listed keys.
2. Under the subsection Encryption Options
, select Encrypt Assertion
3. Under the subsection Encryption Algorithm
, select the encryption algorithm to use.
In the Domino 9.0 Social Edition release, the supported encryption algorithms for TFIM are AES-128, AES-192, AES-256, and 3DES (also called TripleDES).
4. Apply the changes.
Setting up encrypted assertions in ADFS
Procedure for ADFS (Active Directory Federated Services)
1. Select the service provider for which you want to encrypt assertions. Right-click and select Properties
2. On the Encryption
tab, click Browse
to select the certificate (.cer, .sst
, or .p7b
file) to use, and apply the changes.
3. If you do not have a file containing the certificate and you are using the same key for encryption as you are for signing, you can export the certificate used for signing and then import it to use for encryption within ADFS.
Exporting the signed certificate
1. Change to the Signature
tab. The certificate should be selected. Then click View
. In the new window, on the Details
tab, click Copy to File
2. Click Next
3. Select a location and file name for saving the certificate.
4. Click Next
Importing the certificate to use for encryption
1. On the Encryption
tab, click Browse
, select the certificate you exported to use for encryption, and click Open
2. Apply the changes.