Federation Security Services GuideDeploying Federation without the FSS Sample ApplicationAdd Functionality to the Federation DeploymentConfigure Digital Signing (required for POST Binding) › Set Up smkeydatabase at the SP for Signature Validation

Previous Topic: Add a Private Key and Certificate to the IdP Smkeydatabase

Next Topic: Enable Signature Validation at the SP
Set Up smkeydatabase at the SP for Signature Validation

For POST single sign-on, the Identity Provider digitally signs the SAML assertion, as required by the SAML 2.0 specification. Consequently, the Service Provider must validate the signature.

To validate a digital signature, you need to add a public key to Service Provider's smkeydatabase file. When you configure the SAML authentication scheme, you specify the issuer's DN and serial number of the corresponding partner certificate.

To add the public key to smkeydatabase

  1. Open a command window.
  2. Create the smkeydatabase by entering:

    smkeytool.bat -createDB -password password

    This creates the smkeydatabase at the Service Provider with the password federation.

  3. Add the public key certificate to smkeydatabase by entering: 
    smkeytool.bat -addCert -alias <alias> -infile path_to_X.509_certificate_file

    In this deployment, the public key is post-cert.crt. The command is:

    smkeytool.bat -addCert -alias idp1cert -infile "c:\program files\
ca\siteminder\certs\post-cert.crt"
  4. Restart the Policy Server to see the smkeydatabase changes immediately.
  5. Enable Signature Validation at the SP.

More Information:

Manage the Key Database for Signing and Encryption

Copyright © 2010 CA. All rights reserved. Email CA about this topic