Sign and Encrypt Federation Messages

Single Sign-On Service › SSO Getting Started Guide › SSO Using Advanced Authentication and Provisioning for a Sensitive Application › Configure an IdP to SP Partnership › Configure the Local IdP-to-Remote SP Partnership › Sign and Encrypt Federation Messages

Sign and Encrypt Federation Messages

Securing an assertion and encrypting data within the assertion is a critical part of partnership configuration. The Signature step (SAML 1.1) and the Signature and Encryption step (SAML 2.0) let you configure signing and encryption of assertions.

For SAML 2.0, you have the option of choosing a signing algorithm for signing tasks. The ability to select an algorithm supports the following use cases:

An IdP-->SP partnership in which the IdP signs assertions, responses and SLO-SOAP messages with the RSAwithSHA1, or the RSAwithSHA256 algorithm.
An SP-->IdP partnership in which the SP signs authentication requests and SLO-SOAP messages with the RSAwithSHA1, or the RSAwithSHA256 algorithm.

Signature verification automatically detects which algorithm is in use on a signed document then verifies it. No configuration for signature verification is required.

Signature Configuration at a SAML 2.0 IdP

The Signature and Encryption step in the partnership wizard lets you define how the product uses private keys and certificates for the following signing functions:

Sign and verify SAML assertions, assertion responses, and authentication requests.
For SAML 2.0 POST binding, you are required to sign assertions.
Sign single logout responses and requests (HTTP-Redirect and SOAP bindings).

There can be multiple private keys and certificates in the certificate data store. If you have multiple federated partners, you can use a different key pair for each partner.

Note: If the system is operating in FIPS_COMPAT or FIPS_MIGRATE mode, all certificate and key entries are available from the pull-down list. If the system is operating in FIPS-Only mode, only FIPS-approved certificate and key entries are available.

To configure signing options

Select the Signature and Encryption step in the partnership wizard.
In the Signature section, select an alias for the Signing Private Key Alias field. If there is no private key available, click Import to import one. Or, click Generate to create a certificate request.
By completing this field, you are indicating which private key the asserting party uses to sign assertions, single logout requests and responses.

Note: click on Help for a description of the fields.
Select the hash algorithm for digital signing in the Signing Algorithm field. The IdP signs assertions, responses and SLO-SOAP messages with the specified algorithm.
Select the algorithm that best suits your application.

RSAwithSHA256 is more secure than RSAwithSHA1 due to the greater number of bits used in the resulting cryptographic hash value.

The system uses the algorithm that you select for all signing functions.
Select an alias from the certificate data store or the Verification Certificate Alias field.
By completing this field, you are indicating which certificate verifies signed authentication requests or single logout requests or responses. If there is no certificate in the database, click Import to import one.
(Optional) Specify Artifact and POST signature options for the assertion or response or both.
(Optional) Specify an SLO SOAP signature option for the logout request, the logout response or both when you are using single logout.
(Optional) Select the check box for Require Signed Authentication Requests. This check box verifies that the asserting party only accepts signed requests from the relying party.
Activate a partnership for all configuration changes to take effect and for the partnership to become available for use. Restarting the services is not sufficient.

If you are using the product in a test environment, you can disable signature processing to simplify testing. Click the Disable Signature Processing check box.

Important! Enable signature processing in a SAML 2.0 production environment.

Encryption Configuration at a SAML 2.0 IdP

The Signature and Encryption step in the Partnership wizard lets you define how the Policy Server uses private keys and certificates to do the following tasks:

Sign and verify SAML assertions, assertion responses, and authentication requests.
For SAML 2.0 POST binding, you are required to sign assertions.
Sign single logout responses and requests (HTTP-Redirect and SOAP bindings).
Encrypt and decrypt entire assertions, Name IDs and attributes.

There can be multiple private keys and certificates in the certificate data store. If you have multiple federated partners, you can use a different key pair for each partner.

To configure encryption options

In the Encryption section, select one or both of the following check boxes to specify the assertion data to be encrypted:
- Encrypt Name ID
- Encrypt Assertion
Select the certificate alias from the certificate data store for the Encryption Certificate Alias.
This certificate encrypts assertion data. If no certificate is available, click Import to import one.
Select values for the Encryption Block Algorithm and Encryption Key Algorithm fields.
For the following block/key algorithm combinations, the minimum key size that is required for the certificate is 1024 bits.
- Encryption Block Algorithm: 3DES
  Encryption Key Algorithm: RSA-OEAP
- Encryption Block Algorithm: AES-256
  Encryption Key Algorithm: RSA-OEAP
  
  Note: To use the AES-256 bit encryption block algorithm, install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. You can download these files from http://java.sun.com/javase/downloads/index.jsp.

The encryption configuration is complete.

Partnership Confirmation

Review the partnership configuration before saving it.

Follow these steps:

Review the settings in the Confirm step of the Partnership wizard.
Click Modify in each group box to change any settings.
Click Finish when you are satisfied with the configuration.

The partnership configuration is complete.