Federation Manager Guide › Federation Partnerships › Assertion Security with Digital Signatures and Encryption › Signature and Encryption Tasks at a SAML 2.0 SP

Signature and Encryption Tasks at a SAML 2.0 SP

The Signature and Encryption step in the Partnership wizard lets you define how Federation Manager uses private keys and certificates to do the following:

• Verify SAML assertions signatures and assertion responses and sign authentication requests.

  Note: For SAML 2.0 POST binding, the IdP is required to sign assertions.

• Sign single logout responses and requests (HTTP-Redirect and SOAP bindings).
• Encrypt and decrypt entire assertions, Name IDs and attributes.

There can be multiple private keys and certificates in the key database. If you have multiple federated partners, you can use a different key pair for each partner.

Note: For a Federation Manager system operating in FIPS_COMPAT or FIPS_MIGRATE mode, all FIPS and non-FIPS certificate and key entries in the key database are available in the respective pull-down lists. If your Federation Manager system is operating in FIPS-Only mode, only FIPS-approved certificate and key entries are available.

To configure signing options

1. Begin by selecting the Signature and Encryption step in the Partnership wizard.
2. In the Signature group box, select an alias from the key database for the Signing Private Key Alias field. If there is no private key in the database, click Import to import one or click Generate to create a key pair and generate a certificate request.

   By completing this field, you are indicating which private key the relying party uses to sign authentication requests and single logout requests and responses.

   Note: You can click Help for a description of fields, controls, and their respective requirements.

3. Select an alias from the key database for the Verification Certificate Alias field.

   By completing this field, you are indicating which certificate the relying party uses to verify signed assertions or single logout requests and responses. If there is no certificate in the database, click Import to import one.

4. (Optional) Select the Sign Authentication Requests if you want authentication requests to be signed. If the remote asserting party requires the authentication requests to be signed, you must check this option.
5. (Optional) If you import a new key in step 3, restart the Federation Manager services for the changes to take place immediately. If you do not restart the services, you may have to wait up to 60 minutes for Federation Manager to become aware of the changes.

   Restarting the services, requires the following:

   • Windows

     Use the Federation Manager stop and start shortcuts as follows:

     1. Start, Program Files, CA, Federation Manager, Stop services
     2. Start, Program Files, CA, Federation Manager, Start services
   • Solaris

     a. Open up a command window.

     b. Navigate to federation_manager_home, the directory where you installed Federation Manager.

     c. Run the following script: ca_federation_env.ksh.

     d. Enter the following commands:

     fedmanager.sh stop

     fedmanager.sh start

     If you do not run the environment script, you have to navigate to the directory federation_mgr_home where the start and stop scripts are located.

     Note: Do not stop and start the services as the root user. You must be a non-root user.

   You have to activate a partnership for all configuration changes to take affect and for the partnership to become available for use. Restarting the services is not sufficient

If you are using Federation Manager in a test environment, you may want to disable signature processing to simplify testing. Click the Disable Signature Processing checkbox to accomplish this.

Important! Signature processing must be enabled in a SAML 2.0 production environment.

To configure encryption options

1. In the Encryption group box, select one or both of the following check boxes to ensure the right data is encrypted in the received assertion:
   • Require encrypted Name ID
   • Require encrypted Assertion

   Note: To use the AES-256 bit encryption block algorithm, install Sun's Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. You can download these files from http://java.sun.com/javase/downloads/index.jsp.

2. Select the alias from the key database for the Decryption Private Key Alias.

   This private key decrypts any encrypted assertion data. If there is no certificate in the database, click Import to import one or click Generate to create a key pair and generate a certificate request.

3. (Optional) If you import a new key in step 2, restart the Federation Manager services for the changes to take place immediately. If you do not restart the services, you may have to wait up to 60 minutes for Federation Manager to become aware of the changes.

   Restarting the services, requires the following:

   • Windows

     Use the Federation Manager stop and start shortcuts as follows:

     1. Start, Program Files, CA, Federation Manager, Stop services
     2. Start, Program Files, CA, Federation Manager, Start services
   • Solaris

     a. Open up a command window.

     b. Navigate to federation_manager_home, the directory where you installed Federation Manager.

     c. Run the following script: ca_federation_env.ksh.

     d. Enter the following commands:

     fedmanager.sh stop

     fedmanager.sh start

   Note: If you do not run the environment script, you have to navigate to the directory federation_mgr_home/config where the start and stop scripts are located.

The signing and encryption configuration is complete.