Previous Topic: Configure Digital Signing (required for POST Binding)Next Topic: Set Up smkeydatabase at the SP for Signature Validation

Federation Security Services GuideDeploy Federation Using a Manual ConfigurationAdd Functionality to the Federation DeploymentConfigure Digital Signing (required for POST Binding)Add a Private Key and Certificate to the IdP Smkeydatabase

Add a Private Key and Certificate to the IdP Smkeydatabase

Keys and certificates used to sign SAML assertions for POST binding are stored in the smkeydatabase. Signing a SAML response is required, so create smkeydatabase at the Identity Provider and add the appropriate items to it.

If you deployed the sample application, you can use the key that it automatically installs. If you want to create a new key, use the smkeytool utility to delete all the data from the smkeydatabase and complete the following procedures.

To create a key database and add a private key and certificate to it

  1. Open a command window.
  2. If necessary, create a key database for a Windows system by entering

    smkeytool.bat –createDB -password password

    This command creates the smkeydatabase.

  3. Add a private key and certificate to smkeydatabase.

    idp.demo signs the SAML response before sending it to sp.demo.

    The command for this deployment is:

    smkeytool.bat -addPrivKey -alias defaultenterpriseprivatekey -keyfile "c:\program
files\ca\siteminder\certs\post-pkey.der" -certfile "c:\program
files\ca\siteminder\certs\post-cert.crt" -password password

    The first part of this command is the location of the private key in DER format at the Identity Provider. For this deployment, that is post-pkey.der. The second part of the command is the location of the public key certificate, which is post-cert.crt followed by the password associated with the private key, which is password.

  4. Restart the Policy Server to see the smkeydatabase changes immediately.
  5. Log in to the FSS Administrative UI.
  6. From the Domains tab, select Federation Sample Partners, then open the properties for the Service Provider, sp.demo.
  7. Go to the General tab in the SAML Service Provider Properties dialog.
  8. Uncheck the box labeled Disable Signature Processing. Deselecting this check box means that signature processing is enabled.
  9. Click OK.
  10. Set Up the smkeydatabase at the SP to Validate Digital Signatures.