Federation Security Services Guide › Manage the Key Database for Signing and Encryption › SmKeyDatabase Overview › Role of the Smkeydatabase at the Producing Authority

Role of the Smkeydatabase at the Producing Authority

At the producing authority, the smkeydatabase is used for the following features:

• Single sign-on (SAML 1.x POST profile, SAML 2.0 POST binding, or WS-Federation)

  To use SAML 1.x POST profile, the SAML 2.0 POST binding or WS-Federation Passive Requester Profile for passing assertions, the assertion generator at the producing authority needs to sign the SAML the assertion. The recipient consuming authority needs to verify that signature.

• Encryption of assertions, Name IDs and attributes for SAML 2.0 artifact or POST authentication

  If you enable encryption, the producer/Identity Provider must provide the public key certificate of the Service Provider for encrypting the data, while the consumer/Service Provider uses a private key to decrypt the data.

• Single logout

  For single logout, the side initiating the logout request signs the request and the side receiving the request validates the signature. Conversely, the receiving side must sign the response and the initiator must validate the response.

• AuthnRequests for Single sign-on

  The Identity Provider can require that the Service Provider sign AuthnRequest messages. To sign these messages, you have to have a private key and certificate. The Identity Provider then needs to validate the request with the public key that corresponds to the private key.

To accomplish signing, verification, and encryption, you must set up an smkeydatabase for each Policy Server that is responsible for signing, verification, and encryption.