The Policy Server can verify the following signed messages:
By default, signature processing is enabled because the SAML 2.0 specification requires it. Always enable signature processing in a production environment.
The Policy Server always signs SAML 2.0 POST responses and single logout requests; signing does not require configuration using the Administrative UI. The only setup that is required for signing is that you add the private key/certificate pair of the signing authority to the certificate data store.
Important! For debugging purposes only, you can temporarily disable all signature processing (both signing and verification of signatures). Select Disable Signature Processing in the Signature section of the Encryption & Signing settings.
To validate signatures of AuthnRequests from a Service Provider, or single logout requests and responses, complete the configuration steps in the Administrative UI.
To set up validation:
The public key must correspond to the private key and certificate that the Service Provider used to do the signing.
If you select this check box, the Identity Provider requires a signed authnrequest and then the IdP validates the signature of the request. If the authnrequest is not signed, the Identity Provider rejects it.
Important: If you sign AuthnRequests, no unsolicited responses can be sent from the Identity Provider.
If you select this check box, the Identity Provider validates the signature of the SLO request and response.
The field values must match the certificate in the certificate data store. The certificate is the one that corresponds to the private key/certificate pair of the authority that signs the requests. To verify that you enter a matching value, view the DN of the certificate.
You can encrypt the Name ID in an assertion or the assertion itself. Encryption adds another level of protection when transmitting the assertion.
When you configure encryption, specify the partner certificate. The certificate is in the assertion. When the assertion arrives at the Service Provider, the Service Provider decrypts the encrypted data using the associated private key.
Note: If you enable encryption, the first federation call can cause the Policy Server memory to increase to load the encryption libraries and allocate additional memory.
To implement encryption
Be aware of the following conditions:
The IssuerDN and Serial Number that you enter must match an IssuerDN and serial number of a key/certificate pair stored in the certificate data store of the Identity Provider.
Before the Policy Server as an IdP processes a request, it validates the message attributes using the local URL for the Federation Web Services application.
For example, an AuthnRequest message from an SP can contain the following attribute:
Destination="http://idp.domain.com:8080/affwebservices/public/saml2sso"
In this example, the destination attribute in the AuthnRequest and the address of the Federation Web Services application are the same. The Policy Server verifies that the destination attribute matches the local URL of the FWS application.
If the Policy Server sits behind a proxy server, the local and destination attribute URLs are not the same. The Destination attribute is the URL of the proxy server. For example, the AuthnRequest can include the following Destination attribute:
Destination="http://proxy.domain.com:9090/affwebservices/public/saml2sso"
The local URL for Federation Web Services, http://idp.domain.com:8080/affwebservices/public/saml2sso, does not match the Destination attribute so the Policy Server denies the request.
You can specify a proxy configuration to alter how the Policy Server determines the local URL for verifying a message attribute. If you specify a proxy, the system replaces the protocol://authority portion of the local URL with the proxy server URL. The result is a match between the two URLs.
The Policy Server can sit behind a proxy server. For this deployment, configure the proxy so that the system finds a match between the URL in a request message attribute and the local proxy URL. There must be a match to process the request. The Policy Server replaces the protocol://authority portion of the local URL with the proxy server URL, which results in a match between the two URLs.
To use a proxy server at the IdP
For example, the proxy server configuration would be:
http://proxy.domain.com:9090
If your network includes the SPS federation gateway, the Server field must specify the SPS federation gateway host and port, for example,
http://sps_gateway_server.ca.com:9090
The value that you enter for the Server field affects the URLs for the following IdP services:
The Server value becomes part of the URL used to verify SAML attributes like the Destination attribute. If you are using a proxy server for one URL, use it for all these URLs.
Copyright © 2014 CA.
All rights reserved.
|
|