Federation Security Services Guide › Deploy Federation Using a Manual Configuration › Add Functionality to the Federation Deployment › Encrypt and Decrypt the Assertion › Decrypt an Encrypted Assertion at the SP

Decrypt an Encrypted Assertion at the SP

If the assertion is encrypted at the Identity Provider, the Service Provider must have the private key and corresponding certificate in its smkeydatabase.

The Service Provider accepts an encrypted assertion from the Identity Provider as long as it has the private key and certificate to decrypt the assertion. You do not have to enable the Require an Encrypted Assertion feature for the SAML authentication scheme to accept an encrypted assertion at the Service Provider.

To add the private key and certificate to the smkeydatabase

1. Open a command window.
2. Do one of the following:
   • If the smkeydatabase has not been created already, enter the command:

     smkeytool.bat -createDB -password fedDB

     This command creates the smkeydatabase at the Service Provider with the password fedDB.

   • If smkeydatabase does exist, skip to the next step.
3. Add a private key and certificate to the existing smkeydatabase.

   The command for this deployment is:

   smkeytool.bat -addPrivKey -alias sp1privkey -keyfile "c:\program files\ca\siteminder\certs\sp-encrypt.der" -certfile "c:\program files\ca\siteminder\certs\sp-encrypt.crt" -password fedsvcs

   The first part of this command is the location of the private key, sp-encrypt.der. The second part of the command is the location of the public key, sp-encrypt.crt, followed by the password, fedsvcs. Fedsvcs is the password associated with the private key.

4. Restart the Policy Server to see the smkeydatabase changes immediately.
5. Test single sign-on. Go to either of the following:
   • Test SAML 2.0 POST Single Sign-on
   • Test Artifact Single Sign-on