Previous Topic: Test the Partnership (POST Profile)Next Topic: Add Single Logout

CA SiteMinder® Federation Standalone GuideGetting Started with a Simple PartnershipEnable Signature Processing

Enable Signature Processing

Digitally signing assertions is required in a SAML 2.0 POST single sign-on. For signing and verification tasks, a private key/certificate pair is used.

Before any transaction or runtime actions, an administrator at IdP1 sends a file with certificate data to SP1. This file contains a certificate (public key) associated with the private key that the IdP1 uses to sign assertions. An administrator at SP1 adds the certificate to its certificate data store.

When the single sign-on transaction occurs, IdP1 signs the assertion with its private key. SP1 receives the assertion and verifies the assertion signature using the certificate in the certificate data store.

The following procedures explain how to set up signing at each site.

Configure Signature Processing at the IdP

For POST single sign-on, Idp1 is required to sign assertions. It uses the private key in the certificate data store to sign assertions.

Note: The example assumes that you have a file from which you to import keys and certificates, or that you already have private keys and certificates for signing and verification tasks.

Follow these steps:

  1. From the UI, click the Federation tab and select Partnerships.

    The View Federation Partnerships window displays.

  2. Select Action, Deactivate next to the entry for TestPartnership, which is the IdP ->SP partnership.

    Deactivate a partnership before editing it.

  3. Click Action, Modify next to the entry for TestPartnership.

    The dialog for the first step of the Partnership wizard opens.

  4. Click the Signature and Encryption step in the partnership wizard.
  5. In the Signature group box:
    1. Deselect Disable Signature Processing.
    2. Click Import next to the Signing Private Key Alias field.

      The Import Certificate/Private Key window opens.

  6. Complete the import wizard as follows:
    1. Select the file from where you are importing the private key/certificate pair.
    2. If the file is a pkcs#12 file, supply the password to encrypt the file.
    3. Select the certificate entry from the file that you want to import and enter a value for the Alias, such as cert1.
    4. Confirm the selection and click Finish.

    You return to the View Federation Partnerships window.

  7. Select Action, Modify for the partnership entry.
  8. Go to the Signature and Encryption step. In the dialog, the key/certificate that you imported is now available from the Signing Private Key Alias drop-down list.
  9. Select the alias for cert1 and click Next.
  10. Review the settings in the Confirm dialog and click Finish.

    You return to the View Federation Partnerships window.

  11. Reactivate the partnership by selecting Action, Activate next to the TestPartnership entry in the Federation Partnership List.
  12. Restart the federation services according to your operating environment.

    Restarting the federation services makes the system aware of the changes to signing.

Signature processing is now configured at the IdP.

Configure Signature Processing at the SP

SP1 is required to verify the signature of an assertion. Before a transaction, SP1 has to have the certificate (public key) from IdP1. This is the certificate that is associated with the private key that IdP1 uses to sign the assertion.

This certificate must be imported into SP1 certificate data store.

Follow these steps:

  1. From the Administrative UI, click the Federation tab and select Partnerships.

    The View Federation Partnerships window displays.

  2. Select Action, Deactivate next to the entry for DemoPartnership.

    Deactivate a partnership before editing it.

  3. Click Action, Modify next to the entry for DemoPartnership.

    The dialog for the first step of the Partnership wizard opens.

  4. Click the Signature and Encryption step in the Partnership wizard.
  5. In the Signature group box:
    1. Deselect Disable Signature Processing.
    2. Click Import next to the Verification Certificate Alias field.

      The Import Certificate/Private Key window opens.

  6. Complete the import wizard as follows:
    1. Select the file from where you are importing the certificate.
    2. Select the certificate entry from the file that you want to import and enter a value for the Alias, such as cert1.
    3. Confirm the selection and click Finish.

    You return to the View Federation Partnerships window.

  7. Select Action, Modify for the partnership entry.
  8. Go to the Signature and Encryption step. In the dialog, the key/certificate that you imported is now available from the Signing Private Key Alias drop-down list.
  9. Select the alias, cert1 for the certificate and click Next.
  10. Review the settings in the Confirm dialog and click Finish.

    You return to the View Federation Partnerships window.

  11. Reactivate the partnership by selecting Action, Activate next to the DemoPartnership entry in the Federation Partnership List.
  12. Restart the federation services according to your operating environment.

    Restarting federation services makes the system aware of the changes to signing.

Signature verification is now configured at the SP.