Securing an assertion and encrypting data within the assertion is a critical part of partnership configuration. In a federation environment, key/certificate pairs and standalone certificates serve a number of functions:
The Policy Server Configuration Guide contains information and instructions about managing keys and certificates.
You can use SSL server certificates to do the following tasks:
Refer to instructions for enabling SSL for the web server where the CA SiteMinder® Web Agent is installed.
Note: If you enable SSL, it affects all URLs for all services, even the Base URL parameter. This means that all service URLs must begin with https://.
SAML 2.0 Signing Algorithms
For SAML 2.0, you have the option of choosing a signing algorithm for signing tasks. The ability to select an algorithm supports the following use cases:
Signature verification automatically detects which algorithm is in use on a signed document then verifies it. No configuration for signature verification is required.
The Signature step lets you define how the Policy Server uses private keys and certificates to sign SAML assertion or WS-Federation token responses. For SAML 1.1, you can elect to sign only assertions instead of the assertion response.
SAML 1.1 and WS-Federation do not support encryption.
There can be multiple private keys and certificates in the certificate data store. If you have multiple federated partners, you can use a different key pair for each partner.
Note: If the system is operating in FIPS_COMPAT or FIPS_MIGRATE mode, all certificate and key entries are available from the pull-down list. If the system is operating in FIPS-Only mode, only FIPS-approved certificate and key entries are available.
Follow these steps:
If there is no private key in the certificate data store, click Import to import a key. Alternatively, click Generate to create a certificate request.
By completing this field, you are indicating which private key the asserting party uses to sign assertions and responses.
If you are using CA SiteMinder® in a test environment, you can disable signature processing to simplify testing. Click the Disable Signature Processing check box.
Signature configuration is complete.
The Signature step lets you define how the Policy Server uses private keys and certificates to verify SAML assertion or WS-Federation token responses. For SAML 1.1, you can elect to verify only assertions.
SAML 1.1 and WS-Federation do not support encryption.
There can be multiple private keys and certificates in the certificate data store. If you have multiple federated partners, you can use a different key pair for each partner.
Note: If the system is operating in FIPS_COMPAT or FIPS_MIGRATE mode, all certificate and key entries are available from the pull-down list. If the system is operating in FIPS-Only mode, only FIPS-approved certificate and key entries are available.
Follow these steps:
By completing this field, you are indicating which certificate verifies signed assertions or responses or both. If there is no certificate in the certificate data store, click Import to import one. Alternatively, click Generate to create a certificate request.
Note: If you are using the product in a test environment, you can disable signature processing to simplify testing. Click the Disable Signature Processing check box.
Signature configuration is complete.
The Signature and Encryption step in the partnership wizard lets you define how the product uses private keys and certificates for the following signing functions:
For SAML 2.0 POST binding, you are required to sign assertions.
There can be multiple private keys and certificates in the certificate data store. If you have multiple federated partners, you can use a different key pair for each partner.
Note: If the system is operating in FIPS_COMPAT or FIPS_MIGRATE mode, all certificate and key entries are available from the pull-down list. If the system is operating in FIPS-Only mode, only FIPS-approved certificate and key entries are available.
To configure signing options
By completing this field, you are indicating which private key the asserting party uses to sign assertions, single logout requests and responses.
Note: click on Help for a description of the fields.
Select the algorithm that best suits your application.
RSAwithSHA256 is more secure than RSAwithSHA1 due to the greater number of bits used in the resulting cryptographic hash value.
The system uses the algorithm that you select for all signing functions.
By completing this field, you are indicating which certificate verifies signed authentication requests or single logout requests or responses. If there is no certificate in the database, click Import to import one.
Activate a partnership for all configuration changes to take effect and for the partnership to become available for use. Restarting the services is not sufficient.
If you are using the product in a test environment, you can disable signature processing to simplify testing. Click the Disable Signature Processing check box.
Important! Enable signature processing in a SAML 2.0 production environment.
The Signature and Encryption step in the Partnership wizard lets you define how the Policy Server uses private keys and certificates to do the following tasks:
For SAML 2.0 POST binding, you are required to sign assertions.
There can be multiple private keys and certificates in the certificate data store. If you have multiple federated partners, you can use a different key pair for each partner.
To configure encryption options
This certificate encrypts assertion data. If no certificate is available, click Import to import one.
For the following block/key algorithm combinations, the minimum key size that is required for the certificate is 1024 bits.
Encryption Key Algorithm: RSA-OEAP
Encryption Key Algorithm: RSA-OEAP
Note: To use the AES-256 bit encryption block algorithm, install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. You can download these files from http://java.sun.com/javase/downloads/index.jsp.
The encryption configuration is complete.
The Signature and Encryption step in the partnership wizard lets you define how the Policy Server uses private keys and certificates to do the following tasks:
Note: For SAML 2.0 POST binding, the IdP is required to sign assertions.
There can be multiple private keys and certificates in the certificate data store. If you have multiple federated partners, you can use a different key pair for each partner.
Note: If the system is operating in FIPS_COMPAT or FIPS_MIGRATE mode, all certificate and key entries are available from the pull-down list. If the system is operating in FIPS-Only mode, only FIPS-approved certificate and key entries are available.
To configure signing options
By completing this field, you are indicating which private key the relying party uses to sign authentication requests and single logout requests and responses.
Note: Click Help for a description of fields, controls, and their respective requirements.
Select the algorithm that best suits your application.
RSAwithSHA256 is more secure than RSAwithSHA1 due to the greater number of bits used in the resulting cryptographic hash value.
CA SiteMinder® uses the algorithm that you select for all signing functions.
By completing this field, you are indicating which certificate the relying party uses to verify signed assertions or single logout requests and responses. If there is no certificate in the database, click Import to import one.
Activate a partnership for all configuration changes to take effect and for the partnership to become available for use. Restarting the services is not sufficient.
If you are using CA SiteMinder® in a test environment, you can disable signature processing to simplify testing. Click the Disable Signature Processing check box to disable the feature.
Important! Enable signature processing in a SAML 2.0 production environment.
The Signature and Encryption step lets you configure how the SP uses private keys and certificates, including encrypting and decrypting assertions, Name IDs, and attributes.
There can be multiple private keys and certificates in the certificate data store. If you have multiple federated partners, you can use a different key pair for each partner.
Note: If the system is operating in FIPS_COMPAT or FIPS_MIGRATE mode, all certificate and key entries are available from the pull-down list. If the system is operating in FIPS-Only mode, only FIPS-approved certificate and key entries are available.
To configure encryption options
Note: To use the AES-256 bit encryption block algorithm, install the Sun Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. You can download these files from http://java.sun.com/javase/downloads/index.jsp.
This private key decrypts any encrypted assertion data. If no certificate available, click Import to import one or click Generate to create a key pair and generate a certificate request.
The encryption configuration is complete.
Copyright © 2014 CA.
All rights reserved.
|
|