Federation Manager Guide › Getting Started with a Simple Partnership › Enable Signature Processing › Configure Signature Processing at the IdP

Configure Signature Processing at the IdP

For POST single sign-on, Idp1 is required to sign assertions. It has to sign the assertion using a private key stored in its Federation Manager key database.

Note: The example assumes you have a file from which you can import keys and certificates or that you already have private keys and certificates in the Federation Manager key database that you can use for signing and verification tasks.

To configure signing

1. From the Federation Manager UI, click the Federation tab and select Partnerships.

   The View Federation Partnerships window displays.

2. Select Action, Deactivate next to the entry for TestPartnership, which is the IdP ->SP partnership.

   You must deactivate a partnership prior to editing it.

3. Click Action, Edit next to the entry for TestPartnership.

   The dialog for the first step of the Partnership wizard opens.

4. Click the Signature and Encryption step in the partnership wizard.
5. In the Signature group box, do the following:
   1. Deselect Disable Signature Processing.
   2. Click Import next to the Signing Private Key Alias field.

      The Import Certificate/Private Key window opens.

6. Complete the import wizard as follows:
   1. Select the file from where you are importing the private key/certificate pair.
   2. If the file is a pkcs#12 file, supply the password used to encrypt the file. You should already have this password.
   3. Select the certificate entry from the file that you want to import and enter a value for the Alias, such as cert1.
   4. Confirm the selection and click Finish.

   You return to the View Federation Partnerships window.

7. Select Action, Edit for the partnership entry.
8. Go to the Signature and Encryption step. In the dialog, you will notice that the key/certificate that you imported should now be available from the Signing Private Key Alias drop-down list.
9. Select the alias you just configured, cert1, and click Next.
10. Review the settings in the Confirm dialog and click Finish.

    You return to the View Federation Partnerships window.

11. Reactivate the partnership by selecting Action, Activate next to the TestPartnership entry in the Federation Partnership List.
12. Restart the Federation Manager services, according to your operating environment.
    • Windows

      Use the Federation Manager stop and start shortcuts as follows:

      1. Start, All Programs, CA, FederationManager, Stop services
      2. Start, All Programs, CA, FederationManager, Start services
    • Solaris

      a. Open a command window.

      b. Run the following scripts:

      federation_mgr_home/fedmanager.sh stop

      federation_mgr_home/fedmanager.sh start

      When you run the fedmanager.sh script, it sources the Federation Manager environment script, ca_federation_env.ksh.

      Note: Do not stop and start the services as the root user. You must be a non-root user.

    Restarting the services makes Federation Manager aware of the changes to signing.

Signature processing is now configured at the IdP.