Certificate and Private Key Usage

CA SiteMinder® Federation Standalone Guide › Key and Certificate Management › Certificate and Private Key Usage

Certificate and Private Key Usage

Securing an assertion and encrypting data within the assertion is a critical part of partnership configuration. In a federation environment, key/certificate pairs and standalone certificates serve a number of functions:

Signing/verification of assertions (all three profiles)
Signing/verification of authentication requests (SAML 2.0 only)
Signing/verification of single logout requests and responses (SAML 2.0)
Signing back channel requests and responses for HTTP-Artifact SSO (SAML 1.1 and 2.0)
Encryption/decryption of an entire assertion or part of an assertion (SAML 2.0)
Client credentials across the back channel for artifact single sign–on (SAML 1.1 and 2.0)

The Policy Server Configuration Guide contains overview information and instructions about managing keys and certificates.

You can use SSL server certificates to do the following tasks:

Manage federation traffic across an SSL connection.
Secure communication across the back channel for artifact single sign-on.

Refer to instructions for enabling SSL for the web server where the CA SiteMinder® Web Agent is installed.

Note: If you enable SSL, it affects all URLs for all services, even the Base URL parameter. This means that all service URLs must begin with https://.

SAML 2.0 Signing Algorithms

For SAML 2.0, you have the option of choosing a signing algorithm for signing tasks. The ability to select an algorithm supports the following use cases:

An IdP-->SP partnership in which the IdP signs assertions, responses and SLO-SOAP messages with the RSAwithSHA1, or the RSAwithSHA256 algorithm.
An SP-->IdP partnership in which the SP signs authentication requests and SLO-SOAP messages with the RSAwithSHA1, or the RSAwithSHA256 algorithm.

Signature verification automatically detects which algorithm is in use on a signed document then verifies it. No configuration for signature verification is required.

Aliases to Reference Certificate Data Store Content

Each key/certificate pair, client certificate, and trusted certificate in the certificate data store must have a unique alias. The alias is the reference to any private key/certificate pair or single certificate in the certificate store. The certificate data store holds multiple key/certificate pairs and single certificates. In a federated environment there are multiple partners. For multiple partners, you can use a different pair for each partner.

If a signing alias is configured for signing assertions, the assertion generator uses the key associated with alias to sign assertions. If no signing alias is configured, the assertion generator uses the key with the following alias to sign assertions:

defaultenterpriseprivatekey

If the assertion generator does not find a default enterprise private key, it uses the first private key in the store to sign assertions.

Important! If you are going to store multiple keys, define the first key that you add with the following alias before adding subsequent keys:

defaultenterpriseprivatekey

A given Policy Server signs or signs and verifies responses. Add keys and certificates for signing and validation to the same certificate data store.

The following types of key/certificate pairs and single certificates are stored in the certificate data store:

Function	Private Key/Cert Pair	Certificate (public key)	CA Certificates	Client Certificate
Signs assertions, authentication requests, SLO requests and responses	X
Verifies signed assertions, authentication requests, and SLO requests/responses		X
Encrypts assertions, Name ID and attributes (SAML 2.0 only)		X
Decrypts assertions, Name ID and attributes (SAML 2.0)	X
Serves as a credential for client certificate authentication of the artifact back channel				X
Validates other certificates and certificate revocation lists			X
Use SSL connections to resolve web services variables			X