Federation Security Services GuideIdentify Service Providers for a SAML 2.0 Identity ProviderEncrypt a NameID and an Assertion › Enabling Encryption

Previous Topic: Encrypt a NameID and an Assertion

Next Topic: Request Processing with a Proxy Server at the IdP

Enabling Encryption

To implement encryption

  1. Log in to the FSS Administrative UI and access the SAML Service Provider Properties dialog box for the Service Provider you want to configure.
  2. From the SAML Service Provider Properties dialog box, select the Encryption tab.
  3. To encrypt only the Name ID, select the Encrypt Name ID checkbox.
  4. To encrypt the entire assertion, select the Encrypt Assertion checkbox.

    You can select the Name ID and the assertion; both can be encrypted.

  5. Choose an Encryption Block Algorithm and Encryption Key Algorithm. These algorithms are defined by the WC3 XML Syntax and Processing standards.

    After you select an encryption checkbox, the fields in the Encryption Public Key become active.

    Note: To use the aes-256 bit encryption block algorithm, install Sun's Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. You can download these files from http://java.sun.com/javase/downloads/index.jsp

  6. Fill-in the IssuerDN and the Serial Number fields.

    The IssuerDN is the DN of the certificate issuer and its associated serial number. This information locates the certificate of the Service Provider in the key store. The data should be supplied by the Service Provider.

    Additionally, the IssuerDN and Serial Number that you enter here and on the General tab must match an IssuerDN and serial number of a key stored in the Identity Provider's key store database. The key store is created using the SiteMinder keytool utility.

  7. Click OK to save your changes.

More Information:

Manage the Key Database for Signing and Encryption

Copyright © 2010 CA. All rights reserved. Email CA about this topic