Federation Guides › Legacy Federation Guide › Key and Certificate Management

Key and Certificate Management

Securing an assertion and encrypting data within the assertion is a critical part of partnership configuration. In a federation environment, key/certificate pairs and standalone certificates serve a number of functions:

• Signing/verification of assertions (all three profiles)
• Signing/verification of authentication requests (SAML 2.0 only)
• Signing/verification of single logout requests and responses (SAML 2.0)
• Signing back channel requests and responses for HTTP-Artifact SSO (SAML 1.1 and 2.0)
• Encryption/decryption of an entire assertion or part of an assertion (SAML 2.0)
• Client credentials across the back channel for artifact single sign–on (SAML 1.1 and 2.0)

The Policy Server Configuration Guide contains overview information and instructions about managing keys and certificates.

You can use SSL server certificates to do the following tasks:

• Manage federation traffic across an SSL connection.
• Secure communication across the back channel for artifact single sign-on.

Refer to instructions for enabling SSL for the web server where the CA SiteMinder® Web Agent is installed.

Note: If you enable SSL, it affects all URLs for all services, even the Base URL parameter. This means that all service URLs must begin with https://.

SAML 2.0 Signing Algorithms

For SAML 2.0, you have the option of choosing a signing algorithm for signing tasks. The ability to select an algorithm supports the following use cases:

• An IdP-->SP partnership in which the IdP signs assertions, responses and SLO-SOAP messages with the RSAwithSHA1, or the RSAwithSHA256 algorithm.
• An SP-->IdP partnership in which the SP signs authentication requests and SLO-SOAP messages with the RSAwithSHA1, or the RSAwithSHA256 algorithm.

Signature verification automatically detects which algorithm is in use on a signed document then verifies it. No configuration for signature verification is required.