Previous Topic: Digital Signing Options at the Service ProviderNext Topic: Create a Custom SAML 2.0 Authentication Scheme (optional)

Federation GuidesLegacy Federation GuideConfigure CA SiteMinder® as a SAML 2.0 Service ProviderEnforce Assertion Encryption Requirements for Single Sign-on

Enforce Assertion Encryption Requirements for Single Sign-on

The encryption feature specifies that the authentication scheme processes only an encrypted assertion or Name ID in the assertion.

For added security, the Identity Provider can encrypt the Name ID, user attributes, or the entire assertion. Encryption adds another level of protection when transmitting the assertion. When encryption is enabled at the Identity Provider, the certificate (public key) is used to encrypt the data. When the assertion arrives at the Service Provider, it decrypts the encrypted data with the associated private key.

When you configure encryption at the Session Provider, the assertion must contain an encrypted Name ID or assertion or the Service Provider rejects the assertion.

Set Up Encryption for SSO

You can enforce encryption requirements for the assertion.

To enforce encryption requirements

  1. Navigate to the SAML 2.0 authentication scheme.
  2. Click SAML 2.0 Configuration, Encryption & Signing.

    The encryption and signing settings page displays.

  3. To require an encrypted Name ID, select the Require Encrypted Name ID check box.
  4. To require an encrypted assertion, select the Require Encrypted Assertion check box.

    You can select the Name ID and the assertion.

  5. (Optional) Specify an alias for the private key that decrypts any encrypted data in the assertion received from the Identity Provider.
  6. Click OK to save your changes.

Without any encryption requirements, the Service Provider accepts Name IDs and assertions that are encrypted or in clear text.