Federation Security Services Guide › Configure SiteMinder as a SAML 2.0 Identity Provider › Configure Single Sign-on for SAML 2.0 › Determine Digital Signing Options

Determine Digital Signing Options

SiteMinder can use a private key/certificate pair to perform various digital signing tasks for federated communication. The private key can sign the following:

• Assertions
• SAML responses
• Artifact responses
• Single logout requests and responses

  For single logout, the side that initiates the logout signs the request, and the side receiving the request validates the signature. Conversely, the receiving side must sign the SLO response and the initiator must validate the response signature.

• Attribute responses (for authorizations based on user attributes)

Prior to any transaction involving signing, the partner responsible for signing gives the certificate (public key) associated with the private key to the partner that verifies the signature. This exchange is done in an independent communication from the federated transaction.

When a SiteMinder IdP sends an assertion to an SP, it includes the certificate in the assertion, by default. However, the SP uses the certificate that it stores at its site to verify the signature.

The configuration options for digital signing include:

• The signature alias setting
• The signature algorithm (RSAwithSHA1 or RSAwithSHA256)
• HTTP-Artifact assertion, SAML response, and artifact response options
• HTTP-POST assertion and SAML response options

To specify signing options from the General or SSO tab

1. Open the SAML Service Provider Properties dialog.
2. Select the General or SSO tab.
3. Select Signing Options.

   The Signing Options dialog opens.

   Complete the fields in the Signing Options dialog.

   Note: Click Help for a description of fields, controls, and their respective requirements.