Previous Topic: Add a Private Key and Certificate to the IdP SmkeydatabaseNext Topic: Enable Signature Validation at the SP

Federation Security Services GuideDeploy Federation Using a Manual ConfigurationAdd Functionality to the Federation DeploymentConfigure Digital Signing (required for POST Binding)Set Up smkeydatabase at the SP for Signature Validation

Set Up smkeydatabase at the SP for Signature Validation

For POST single sign-on, the Identity Provider digitally signs the SAML assertion, as required by the SAML 2.0 specification. Consequently, the Service Provider must validate the signature.

To validate a digital signature, add a public key to the smkeydatabase file of the Service Provider. When you configure the SAML authentication scheme, you specify the DN of the issuer and serial number of the corresponding partner certificate.

To import the public key

  1. Open a command window.
  2. Create the smkeydatabase by entering:

    smkeytool.bat -createDB -password password

    This command creates the smkeydatabase at the Service Provider with the password federation.

  3. Add the public key certificate to smkeydatabase by entering: 
    smkeytool.bat -addCert -alias <alias> -infile path_to_X.509_certificate_file

    In this deployment, the public key is post-cert.crt. The command is:

    smkeytool.bat -addCert -alias idp1cert -infile "c:\program files\
ca\siteminder\certs\post-cert.crt"
  4. Restart the Policy Server to see the smkeydatabase changes immediately.
  5. Enable Signature Validation at the SP.