Federation Guides › Legacy Federation Guide › Configure a SAML 2.0 Service Provider › Digital Signing Options at the Service Provider

Digital Signing Options at the Service Provider

The SAML 2.0 authentication scheme configuration includes digital signing options for the following transactions:

• Authentication requests
• Single logout requests and responses
• Artifact resolve messages—for resolution of a SAML artifact to retrieve the assertion.
• Attribute queries—for authorizations taking place between an Attribute Authority (IdP) and a SAML Requester(SP).

By default, signature processing is enabled because the SAML 2.0 specification requires signing. For debugging your initial federation setup only, you can temporarily disable all signature processing for the Service Provider (signing and verification of signatures) by selecting the Disable Signature Processing option. After debugging is complete, reenable signature processing.

Important! If you disable signature processing in a production environment, you are disabling a mandatory security function.

To specify the signing options

1. Navigate to the SAML 2.0 authentication scheme.
2. Click SAML 2.0 Configuration, Encryption & Signing.
3. Complete the fields in the D-sig Info section. Note the following information:
   • For HTTP-POST (single sign-on), enter information about the certificate that validates the signature of the posted assertion. The Issuer DN and the Serial Number together identify the certificate corresponding to the private key the IdP used to sign the assertion.

     The value that you enter for the Issuer DN field must match the issuer DN of the certificate in the certificate data store.

   • For HTTP-Redirect (single logout), enter information about the certificate that validates the signature of the SLO request.
4. Complete the settings in the Signature Processing section of the dialog.
5. For HTTP-Artifact single sign-on only, configure the back channel settings.
6. Click OK.

Enforce Assertion Encryption Requirements for Single Sign-on

The encryption feature specifies that the authentication scheme processes only an encrypted assertion or Name ID in the assertion.

For added security, the Identity Provider can encrypt the Name ID, user attributes, or the entire assertion. Encryption adds another level of protection when transmitting the assertion. When encryption is enabled at the Identity Provider, the certificate (public key) is used to encrypt the data. When the assertion arrives at the Service Provider, it decrypts the encrypted data with the associated private key.

When you configure encryption at the Session Provider, the assertion must contain an encrypted Name ID or assertion or the Service Provider rejects the assertion.

Set Up Encryption for SSO

You can enforce encryption requirements for the assertion.

To enforce encryption requirements

1. Navigate to the SAML 2.0 authentication scheme.
2. Click SAML 2.0 Configuration, Encryption & Signing.

   The encryption and signing settings page displays.

3. To require an encrypted Name ID, select the Require Encrypted Name ID check box.
4. To require an encrypted assertion, select the Require Encrypted Assertion check box.

   You can select the Name ID and the assertion.

5. (Optional) Specify an alias for the private key that decrypts any encrypted data in the assertion received from the Identity Provider.
6. Click OK to save your changes.

Without any encryption requirements, the Service Provider accepts Name IDs and assertions that are encrypted or in clear text.

Create a Custom SAML 2.0 Authentication Scheme (optional)

You can use a custom SAML 2.0 scheme that is written with the CA SiteMinder® Authentication API instead of the existing SAML 2.0 authentication template.

The main authentication scheme page includes the Library field in the Scheme Setup section of the page. This field contains the name of the shared library that processes SAML artifact authentication. Do not change this value unless you have a custom authentication scheme.

The default shared library for HTML Forms authentication is smauthhtml.