Federation Security Services Guide › Configure SiteMinder as a SAML 2.0 Identity Provider › Configure Required General Information › Validate Signed AuthnRequests and SLO Requests/Responses

Validate Signed AuthnRequests and SLO Requests/Responses

By default, signature processing is enabled because it is required by the SAML 2.0 specification; therefore, it must be enabled in a production environment. SAML 2.0 POST responses and single logout requests are always signed by SiteMinder; signing does not require configuration using the FSS Administrative UI.

For signing, the only setup required is that you have to add the private key and certificate of the authority responsible for signing to the smkeydatabase.

Important! For debugging purposes only, you can temporarily disable all signature processing (both signing and verification of signatures) by checking the Disable Signature Processing option.

To validate signatures of AuthnRequests from a Service Provider, or single logout requests and responses, there are configuration steps in the FSS Administrative UI and the smkeydatabase.

To set-up validation:

1. Add the public key to the Identity Provider’s smkeydatabase.

   The public key must correspond to the private key and certificate that the Service Provider used to do the signing.

   Note: To see updates to the smkeydatabase immediately, restart the Policy Server. Otherwise, the database is updated based on the frequency you configured in the smkeydatabase.properties file.

2. In the FSS Administrative UI, select one or both of the following check boxes:
   • Require Signed AuthnRequests (on the SSO tab)

     If you select this check box, the Identity Provider will require a signed authnrequest and then validate the signature of the request. If the authnrequest is not signed, it will be rejected.

     Important: If you sign AuthnRequests, no unsolicited responses can be sent from the Identity Provider.

   • HTTP-Redirect (on the SLO tab)

     If you select this check box, the Identity Provider will validate the signature of the SLO request and response.

3. Complete the Issuer DN and Serial Number fields on the General tab.

   The Issuer DN and Serial Number fields become active only after the Require Signed AuthnRequests or the HTTP-Redirect check box is selected. The values you enter for these fields should match the public key in the smkeydatabase that corresponds to the private key and certificate of the authority that signed the requests. We recommend you open a command window and enter the command smkeytool -lc to list the certificates and view the DN to ensure that you enter a matching value.