The SAML 2.0 authentication scheme configuration includes digital signing options for the following transactions:
By default, signature processing is enabled because the SAML 2.0 specification requires signing. For debugging your initial federation setup only, you can temporarily disable all signature processing for the Service Provider (signing and verification of signatures) by selecting the Disable Signature Processing option. After debugging is complete, reenable signature processing.
Important! If you disable signature processing in a production environment, you are disabling a mandatory security function.
To specify the signing options
The value that you enter for the Issuer DN field must match the issuer DN of the certificate in the certificate data store.
The encryption feature specifies that the authentication scheme processes only an encrypted assertion or Name ID in the assertion.
For added security, the Identity Provider can encrypt the Name ID, user attributes, or the entire assertion. Encryption adds another level of protection when transmitting the assertion. When encryption is enabled at the Identity Provider, the certificate (public key) is used to encrypt the data. When the assertion arrives at the Service Provider, it decrypts the encrypted data with the associated private key.
When you configure encryption at the Session Provider, the assertion must contain an encrypted Name ID or assertion or the Service Provider rejects the assertion.
You can enforce encryption requirements for the assertion.
To enforce encryption requirements
The encryption and signing settings page displays.
You can select the Name ID and the assertion.
Without any encryption requirements, the Service Provider accepts Name IDs and assertions that are encrypted or in clear text.
You can use a custom SAML 2.0 scheme that is written with the CA SiteMinder® Authentication API instead of the existing SAML 2.0 authentication template.
The main authentication scheme page includes the Library field in the Scheme Setup section of the page. This field contains the name of the shared library that processes SAML artifact authentication. Do not change this value unless you have a custom authentication scheme.
The default shared library for HTML Forms authentication is smauthhtml.
Copyright © 2015 CA Technologies.
All rights reserved.
|
|