SiteMinder uses private key/certificate pairs for signing, verification, encryption, and decryption of entire assertions, or specific assertion content. Federation Security Services also employs client certificates for authenticating a client across a back channel for artifact single sign-on. Finally, it uses SSL server certificates for establishing SSL connections.
There can be multiple private keys/certificate pairs in the SiteMinder key database, named the smkeydatabase. If you have multiple federated partners, you can use a different pair for each partner.
Private key/certificate pairs and single certificates are stored in the SiteMinder key database. Each key/certificate pair, client certificate, and trusted certificate in the key database must have a unique alias. The alias enables SiteMinder to reference any key or certificate in the key database. You can manage the contents of the key database using the smkeytool utility.
The following types of key/certificate pairs and single certificates are stored in the key database:
|
Function |
Private Key/Cert Pair |
Certificate |
SSL Server Certificate |
CA Certificates |
Client Certificate |
|---|---|---|---|---|---|
|
Signs assertions, authentication requests, SLO requests and responses |
X |
|
|
|
|
|
Verifies signed assertions, authentication requests, and SLO requests/responses |
|
X |
|
|
|
|
Encrypts assertions, Name ID and attributes (SAML 2.0 only) |
|
X |
|
|
|
|
Decrypts assertions, Name ID and attributes (SAML 2.0) |
X |
|
|
|
|
|
Secures SSL connections |
|
|
X |
|
|
|
Serves as credential for client certificate authentication of the artifact back channel |
|
|
|
|
X |
|
Validates other certificates and CRLs |
|
|
|
X |
|
The following sections detail key and certificate use for federated communication.
|
Copyright © 2012 CA.
All rights reserved.
|
|