Federation Manager Guide › Federation Partnerships › Assertion Security with Digital Signatures and Encryption › Signature and Encryption Tasks at a SAML 2.0 IdP

Signature and Encryption Tasks at a SAML 2.0 IdP

The Signature and Encryption step in the Partnership wizard lets you define how Federation Manager uses private keys and certificates to do the following:

• Sign and verify SAML assertions, assertion responses, and authentication requests.

  Note: For SAML 2.0 POST binding, you are required to sign assertions.

• Sign single logout responses and requests (HTTP-Redirect and SOAP bindings).
• Encrypt and decrypt entire assertions, Name IDs and attributes.

There can be multiple private keys and certificates in the key database. If you have multiple federated partners, you can use a different key pair for each partner.

Note: For a Federation Manager system operating in FIPS_COMPAT or FIPS_MIGRATE mode, all FIPS and non-FIPS certificate and key entries in the key database are available in the respective pull-down lists. If your Federation Manager system is operating in FIPS-Only mode, only FIPS-approved certificate and key entries are available.

To configure signing options

1. Begin by selecting the Signature and Encryption step in the Partnership wizard.
2. In the Signature group box, select an alias from the key database for the Signing Private Key Alias field. If there is no private key in the database, click Import to import one or click Generate to create a certificate request.

   By completing this field, you are indicating which private key the asserting party uses to sign assertions, single logout requests and responses.

   Note: You can click Help for a description of fields, controls, and their respective requirements.

3. Select an alias from the key database for the Verification Certificate Alias field.

   By completing this field, you are indicating which certificate verifies signed authentication requests or single logout requests or responses. If there is no certificate in the database, click Import to import one.

4. (Optional) Specify Artifact and POST signature options for the assertion or response or both.
5. (Optional) Specify an SLO SOAP signature option for the logout request, the logout response or both if you are using single logout.
6. (Optional) Select the checkbox for Require Signed Authentication Requests to ensure that the asserting party only accepts signed requests from the relying party.
7. (Optional) If you import a new key in step 3, restart the Federation Manager services for the changes to take place immediately. If you do not restart the services you can wait up to 60 minutes for Federation Manager to become aware of the changes.

   Restart the Federation Manager services according to your platform.

   • Windows

     Use the Federation Manager stop and start shortcuts as follows:

     1. Start, All Programs, CA, FederationManager, Stop services
     2. Start, All Programs, CA, FederationManager, Start services
   • Solaris

     a. Open a command window.

     b. Run the following scripts:

     federation_mgr_home/fedmanager.sh stop

     federation_mgr_home/fedmanager.sh start

     When you run the fedmanager.sh script, it sources the Federation Manager environment script, ca_federation_env.ksh.

     Note: Do not stop and start the services as the root user. You must be a non-root user.

   You have to activate a partnership for all configuration changes to take affect and for the partnership to become available for use. Restarting the services is not sufficient.

If you are using Federation Manager in a test environment, you may want to disable signature processing to simplify testing. Click the Disable Signature Processing checkbox to accomplish this.

Important! Signature processing must be enabled in a SAML 2.0 production environment.

To configure encryption options

1. In the Encryption group box, select one or both of the following check boxes to specify the assertion data to be encrypted:
   • Encrypt Name ID
   • Encrypt Assertion
2. Select the certificate alias from the key database for the Encryption Certificate Alias.

   This certificate encrypts assertion data. If there is no certificate in the database, click Import to import one.

3. Choose values for the Encryption Block Algorithm and Encryption Key Algorithm fields.

   These algorithms are defined by the W3C XML Syntax and Processing standards.

   Important! For the following block/key algorithm combinations, the minimum key size required for the certificate is 1024 bits.

   • Encryption Block Algorithm: 3DES

     Encryption Key Algorithm: RSA-OEAP

   • Encryption Block Algorithm: AES-256

     Encryption Key Algorithm: RSA-OEAP

     Note: To use the AES-256 bit encryption block algorithm, install Sun's Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. You can download these files from http://java.sun.com/javase/downloads/index.jsp.

4. (Optional) If you import a new key in step 2, restart the Federation Manager services for the changes to take place immediately. If you do not restart the services you can wait up to 60 minutes for Federation Manager to become aware of the changes.

   Restart the Federation Manager services according to your platform.

   • Windows

     Use the Federation Manager stop and start shortcuts as follows:

     1. Start, All Programs, CA, FederationManager, Stop services
     2. Start, All Programs, CA, FederationManager, Start services
   • Solaris

     a. Open a command window.

     b. Run the following scripts:

     federation_mgr_home/fedmanager.sh stop

     federation_mgr_home/fedmanager.sh start

     When you run the fedmanager.sh script, it sources the Federation Manager environment script, ca_federation_env.ksh.

     Note: Do not stop and start the services as the root user. You must be a non-root user.

The signing and encryption configuration is complete.

Remember, you always have to activate a partnership for it to be available. Restarting the services does not accomplish this task.