Federation Guides › Partnership Federation Guide › Getting Started with a Simple Partnership › Enable Signature Processing

Enable Signature Processing

Digitally signing assertions is required in a SAML 2.0 POST single sign-on. For signing and verification tasks, CA SiteMinder® uses a private key/certificate pair.

Before any transaction or runtime actions, an administrator at IdP1 sends a file to SP1 that contains a certificate (public key). This key is associated with the private key. IdP1 uses the public key to sign assertions. An administrator at SP1 adds the certificate to its certificate data store.

When the single sign-on transaction occurs, IdP1 signs the assertion with its private key. SP1 receives the assertion and verifies the assertion signature using the certificate in its certificate data store.

Configure Signature Processing at the IdP

For HTTP-POST single sign-on, Idp1 is required to sign assertions. The IdP has to sign the assertion using a private key stored in the certificate data store.

Note: The example assumes that you have a file from which you can import a key/certificate pair. Alternatively, a private key/certificate pair is already in the certificate data store.

To configure signing

1. Select Federation, Partnership Federation, Partnerships.
2. Select Action, Deactivate next to the entry for TestPartnership, which is the IdP ->SP partnership.

   Deactivation is required before editing.

3. Click Action, Modify next to the TestPartnership entry.

   The partnership wizard opens.

4. Select the Signature and Encryption step.
5. In the Signature section, complete the following tasks:
   1. Clear Disable Signature Processing.
   2. Click Import next to the Signing Private Key Alias field.

      The Import Certificate/Private Key window opens.

6. Complete the import wizard as follows:
   1. Select the file from where you are importing the private key/certificate pair.
   2. For a pkcs#12 file, supply the password that encrypts the file. You already have this password.
   3. Select the certificate entry from the file that you want to import and enter a value for the Alias, such as cert1.
   4. Confirm the selection and click Finish.

   You return to the Federation Partnerships list.

7. Select Action, Modify for the partnership entry.
8. Go to the Signature and Encryption step. In the dialog, notice that the key/certificate that you imported is now available from the Signing Private Key Alias drop-down list.
9. Select the alias, cert1 and click Next.
10. Review the settings in the Confirm dialog and click Finish.

    You return to the Partnerships window.

11. Reactivate the partnership by selecting Action, Activate next to the TestPartnership entry.

Signature processing is now configured at the IdP.

Configure Signature Processing at the SP

SP1 is required to verify the signature of an assertion. Before a transaction, SP1 has received the certificate (public key) from IdP1. This certificate is for the private key IdP1 used to sign the assertion. This certificate is imported into the SP1 certificate data store.

To configure signature verification

1. Select Federation, Partnership Federation, Partnerships.

   The Partnerships window opens.

2. Select Action, Deactivate next to the entry for DemoPartnership.

   Deactivation is required before editing.

3. Click Action, Modify next to the DemoPartnership entry.

   The partnership wizard opens.

4. Select the Signature and Encryption step.
5. In the Signature section, complete the following tasks:
   1. Clear Disable Signature Processing.
   2. Click Import next to the Verification Certificate Alias field.

      The Import Certificate/Private Key window opens.

6. Complete the import wizard as follows:
   1. Select the file from where you are importing the certificate.
   2. Select the certificate entry from the file that you want to import and enter a value for the Alias, such as cert1.
   3. Confirm the selection and click Finish.

   You return to the Federation Partnership List.

7. Select Action, Modify for the partnership entry.
8. Go to the Signature and Encryption step. In the dialog. Notice that the key/certificate that you imported is now available from the Signing Private Key Alias drop-down list.
9. Select the alias, cert1, for the certificate and click Next.
10. Review the settings in the Confirm dialog and click Finish.

    You return to the Partnerships window.

11. Reactivate the partnership by selecting Action, Activate next to the DemoPartnership entry.

Signature verification is now configured at the SP.