Previous Topic: Signature Configuration at the SAML 1.1 Consumer

Next Topic: Signature and Encryption Tasks at a SAML 2.0 SP

Federation Manager GuideFederation PartnershipsSign and Encrypt Federation MessagesSignature and Encryption Tasks at a SAML 2.0 IdP

Signature and Encryption Tasks at a SAML 2.0 IdP

In the Signature and Encryption step, define how Federation Manager uses private keys and certificates to do the following tasks:

The certificate data store holds multiple private keys and certificates. If you have multiple federated partners, you can use a different key pair for each partner.

Note: For a Federation Manager system operating in FIPS_COMPAT or FIPS_MIGRATE mode, all certificate and key entries are available from pull-down lists. If your system is operating in FIPS-Only mode, only FIPS-approved certificate and key entries are available.

Signing Options

Follow these steps:

  1. Select the Signature and Encryption step in the Partnership wizard.
  2. In the Signature section, select an alias for the Signing Private Key Alias field. If there is no private key in the in the certificate data store, import one or generate a certificate request.

    By completing this field, you are indicating which private key the asserting party uses to sign assertions, single logout requests and responses.

    Note: Click Help for a description of fields, controls, and their respective requirements.

  3. Select the hash algorithm for digital signing in the Signing Algorithm field. The IdP signs assertions, responses and SLO-SOAP messages with the specified algorithm.

    Select the algorithm that best suits your application.

    RSAwithSHA256 is more secure than RSAwithSHA1 due to the greater number of bits used in the resulting cryptographic hash value.

    SiteMinder uses the algorithm that you select for all signing functions.

  4. Select an alias for the Verification Certificate Alias field.

    By completing this field, you are indicating which certificate verifies signed authentication requests or single logout requests or responses. If there is no certificate in the certificate data store, import one.

  5. (Optional) Specify Artifact and POST signature options for the assertion or response or both.
  6. (Optional) Specify an SLO SOAP signature option for the logout request, the logout response or both when you are using single logout.
  7. (Optional) Select the check box for Require Signed Authentication Requests so the asserting party only accepts signed requests from the relying party.
  8. Activate a partnership for all configuration changes to take effect and for the partnership to become available for use.

Important! Signature processing must be enabled in a SAML 2.0 production environment. However, in a test environment, select the Disable Signature Processing check box to simplify testing.

Encryption Options

Follow these steps:

  1. In the Encryption section, select one or both of the following check boxes to specify the assertion data to be encrypted:
  2. Select the certificate alias for the Encryption Certificate Alias.

    This certificate encrypts assertion data. If there is no certificate in the certificate data store, import one.

  3. Choose values for the Encryption Block Algorithm and Encryption Key Algorithm fields.

    Important! For the following block/key algorithm combinations, the minimum key size that is required for the certificate is 1024 bits.

  4. Activate a partnership for all configuration changes to take effect and for the partnership to become available for use.

The signing and encryption configuration is complete.