Federation Manager Guide › Federation Partnerships › Sign and Encrypt Federation Messages › Signature and Encryption Tasks at a SAML 2.0 SP

Signature and Encryption Tasks at a SAML 2.0 SP

In the Signature and Encryption step, define how Federation Manager uses private keys and certificates to do the following tasks:

• Verify SAML assertions signatures and assertion responses and sign authentication requests.

  Note: For SAML 2.0 POST binding, the IdP is required to sign assertions.

• Sign single logout responses and requests (HTTP-Redirect and SOAP bindings).
• Encrypt and decrypt entire assertions, Name IDs and attributes.

The certificate data store holds multiple private keys and certificates. If you have multiple federated partners, you can use a different key pair for each partner.

Note: For a Federation Manager system operating in FIPS_COMPAT or FIPS_MIGRATE mode, all certificate and key entries are available from pull-down lists. If your system is operating in FIPS-Only mode, only FIPS-approved certificate and key entries are available.

Signing Options

Follow these steps:

1. Select the Signature and Encryption step in the Partnership wizard.
2. In the Signature section, select an alias for the Signing Private Key Alias field. If there is no private key in the certificate data store, import one or generate a certificate request.

   By completing this field, you are indicating which private key the relying party uses to sign authentication requests and single logout requests and responses.

   Note: Click Help for a description of fields, controls, and their respective requirements.

3. Select the hash algorithm for digital signing in the Signing Algorithm field. The SP signs authentication requests and SLO-SOAP messages with the specified algorithm.

   Select the algorithm that best suits your application.

   RSAwithSHA256 is more secure than RSAwithSHA1 due to the greater number of bits used in the resulting cryptographic hash value.

   SiteMinder uses the algorithm that you select for all signing functions.

4. Select an alias for the Verification Certificate Alias field.

   By completing this field, you are indicating which certificate the relying party uses to verify signed assertions or single logout requests and responses. If there is no certificate in the certificate data store, click Import to import one.

5. (Optional) To sign authentication requests, select the Sign Authentication Requests. If the remote asserting party requires the authentication requests to be signed, check this option.
6. Activate a partnership for all configuration changes to take effect and for the partnership to become available for use.

Important! Signature processing must be enabled in a SAML 2.0 production environment. However, in a test environment, check the Disable Signature Processing check box to simplify testing.

Encryption Options

Follow these steps:

1. In the Encryption section, select one or both of the following check boxes for data that you want encrypted by the IdP:
   • Require encrypted Name ID
   • Require encrypted Assertion

   Note: To use the AES-256 bit encryption block algorithm, install the Sun Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. Download these files from http://java.sun.com/javase/downloads/index.jsp.

2. Select the alias for the Decryption Private Key Alias.

   This private key decrypts any encrypted assertion data. If there is no certificate in the data store, import one or generate a certificate request.

The signing and encryption configuration is complete.