HCL Domino & ADFS – SSO Suddenly stops working

If you are using ADFS with Domino as a Single Sign-On solution, and you get a call from a friendly user telling you that Single Sign-On stopped working, check if you are seeing the following error on the HCL Domino server console:

SECCheckAndParseSAMLResponse> VerifyAssertionSignature : Document has been modified or corrupted since signed! (signature)

If that is the case, check the expiration date of the “Token-decrypting” and “Token-signing” certificate on the ADFS Server. The easiest way to do that is using the ADFS Management Snap-in or ADFS Management Console.

If the secondary “Token-decrypting” and “Token-signing” is going to expire in two weeks or fewer and the ADFS certificate rollover has started, than you have to reimport the FederationMetadata.xml into your HCL Domino servers. Just download the new “FederationMetadata.xml” file according to the official documentation and re-import it into the existing IdP Configuration documents (you may have more than one).

After importing the new “FederationMetadata.xml” file, just refresh the HTTP configuration and restart the HTTP Task on the Domino Server. You can do that using the “tell http refresh” and “tell http restart” commands respectively. That should be it, your SSO solution should be back in business.

UPDATE

As Patrick Schneider mentioned, in the comment section of this post, you can increase the lifetime of the signing and decrypting certificates:

You can define the certificate duration in ADFS using PowerShell (10 years: Set-ADFSProperties -CertificateDuration 3650 and force a manual Certificate Rollover, see https://xenit.se/tech-blog/changing-default-adfs-decrypt-signing-certificate-lifetime-from-1-year-to-x-years/ )
Be aware that this also affect other services that are using ADFS.

@Patrick Schneider, thank you very much for this valuable information!

Advertisement