Federation Guides › Legacy Federation Guide › Configure CA SiteMinder® as a SAML 2.0 Service Provider › Digital Signing Options at the Service Provider

Digital Signing Options at the Service Provider

The SAML 2.0 authentication scheme configuration includes digital signing options for the following transactions:

• Authentication requests
• Single logout requests and responses
• Artifact resolve messages—for resolution of a SAML artifact to retrieve the assertion.
• Attribute queries—for authorizations taking place between an Attribute Authority (IdP) and a SAML Requester(SP).

By default, signature processing is enabled because the SAML 2.0 specification requires signing. For debugging your initial federation setup only, you can temporarily disable all signature processing for the Service Provider (signing and verification of signatures) by selecting the Disable Signature Processing option. After debugging is complete, reenable signature processing.

Important! If you disable signature processing in a production environment, you are disabling a mandatory security function.

To specify the signing options

1. Navigate to the SAML 2.0 authentication scheme.
2. Click SAML 2.0 Configuration, Encryption & Signing.
3. Complete the fields in the D-sig Info section. Note the following information:
   • For HTTP-POST (single sign-on), enter information about the certificate that validates the signature of the posted assertion. The Issuer DN and the Serial Number together identify the certificate corresponding to the private key the IdP used to sign the assertion.

     The value that you enter for the Issuer DN field must match the issuer DN of the certificate in the certificate data store.

   • For HTTP-Redirect (single logout), enter information about the certificate that validates the signature of the SLO request.
4. Complete the settings in the Signature Processing section of the dialog.

   Note: Click Help for a description of fields, controls, and their respective requirements.

5. For HTTP-Artifact single sign-on only, configure the back channel settings.
6. Click OK.