Parameter:
SAMLSignAssertionsShort description: Forces Domino, acting as a SAML service provider, to accept only signed assertions.
Profile
Parameter | SAMLSignAssertions |
Category | Security / TLS |
Component | Server |
Available since | 10.0 |
Supported versions | 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = unsigned allowed, 1 = signature mandatory (recommended) |
Description
During SAML-based web SSO login, the identity provider (e.g. ADFS, Azure AD, Keycloak) sends an assertion to Domino. By default, Domino also accepts unsigned assertions as long as the enclosing response is signed. With
SAMLSignAssertions=1, the assertion itself must additionally be XML-signed.Protects against manipulated or replayed assertions in man-in-the-middle scenarios. A mandatory setting in any productive SSO setup.
Example configuration
SAMLSignAssertions=1
Notes & pitfalls
- The IdP must have assertion signing enabled – otherwise all logins will fail.
- Before enabling, capture a test login with
DEBUG_SAMLLOGIN=2.
- Pairs with a correct
idpcat.nsfsetup (IdP certificate registered).
- Affects only web SSO; Notes federated login runs separately.
- The change takes effect after an HTTP task restart.