Adfs 3.0 - saml 2.1

HCL Domino Domino Forum
1

Some of our customers are asking for SAML 2.1 (ADFS 3.0) support. Since 9.0.1 FP3 supports SHA-2 certificates, which are required by SAML 2.1, it should be possible to use SAML 2.1. Will Domino/Notes supports SAML2.1 with a future release?

2

Subject: Which version of certificates SHA-1 or SHA-2?

Per default, ADFS 3.0 is using SHA-2 certificates. Most of my customers prefers SHA-2 certificates, which is also the default certificate format if they request new certificate from their CA: Are you using SHA-1 or SHA-2 certificates?

3

Subject: Which certificates?

I’m not sure which certs you’re referring to. I’m 99 percent sure I’ve used SHA-2 exclusively in this environment, but I can check a particular cert to verify.

4

Subject: Is SAML 2.1 even a complete spec yet?

It doesn’t appear to be per SAML21 - SAML Wiki https://wiki.oasis-open.org/security/SAML21. As far as I know, ADFS 3.0 supports SAML 2.0. I have an operational SAML environment using 9.0.1 and ADFS 3.0 in Windows 2012 R2. Works fine for me.

5

Subject: Which version of certificates SHA-1 or SHA-2?

Per default, ADFS 3.0 is using SHA-2 certificates. Most of my customers prefers SHA-2 certificates, which is also the default certificate format if they request new certificate from their CA: Are you using SHA-1 or SHA-2 certificates?

6

Subject: I’m not aware of any issues caused by using SHA-2 certs for SAML

In fact, the X.509 certificates are only used to contain the RSA keys when establishing a partnership - the SAML spec allows for raw keys to be used as well as certificates.

Domino’s SAML SP functionality also supports use of SHA-2 for signing Assertions and Responses.

See the SAML section of this article for specifics on supported algorithms:
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/supported-key-sizes-in-notesdomino http://www-10.lotus.com/ldd/dominowiki.nsf/dx/supported-key-sizes-in-notesdomino

And the SAML tag in the Notes/Domino wiki for cookbooks and more.
http://www-10.lotus.com/ldd/dominowiki.nsf/xpViewTags.xsp?categoryFilter=SAML http://www-10.lotus.com/ldd/dominowiki.nsf/xpViewTags.xsp?categoryFilter=SAML