Previous Topic: Enable Identity Provider Discovery Profile (optional)Next Topic: Configure Request Processing with a Proxy Server


Enabling Encryption

To implement encryption

  1. Log in to the FSS Administrative UI and access the SAML Service Provider Properties dialog box for the Service Provider you want to configure.
  2. From the SAML Service Provider Properties dialog box, select the Encryption tab.

    Note: Click Help for a description of fields, controls, and their respective requirements.

  3. To encrypt only the Name ID, select the Encrypt Name ID checkbox.
  4. To encrypt the entire assertion, select the Encrypt Assertion checkbox.

    You can select the Name ID and the assertion; both can be encrypted.

  5. Choose an Encryption Block Algorithm and Encryption Key Algorithm. These algorithms are defined by the WC3 XML Syntax and Processing standards.

    After you select an encryption check box, the fields in the Encryption Public Key become active.

    Notes:

  6. Fill-in the IssuerDN and the Serial Number fields.

    The IssuerDN is the DN of the certificate issuer and its associated serial number. This information locates the certificate of the Service Provider in the key store. The data should be supplied by the Service Provider.

    Additionally, the IssuerDN and Serial Number that you enter here and on the General tab must match an IssuerDN and serial number of a key stored in the Identity Provider’s key store database. The key store is created using the SiteMinder keytool utility.

  7. Click OK to save your changes.

Request Processing with a Proxy Server at the IdP

Before SiteMinder processes a request as an Identity Provider, it validates the message attributes using the local URL for the Federation Web Services application.

For example, an AuthnRequest message from an SP can contain the following attribute:

Destination="http://idp.domain.com:8080/affwebservices/public/saml2sso"

In this example, the destination attribute in the AuthnRequest and the address of the Federation Web Services application are the same. SiteMinder verifies that the destination attribute matches the local URL of the FWS application.

If SiteMinder sits behind a proxy server, the local and destination attribute URLs are not the same. The Destination attribute is the URL of the proxy server. For example, the AuthnRequest can include the following Destination attribute:

Destination="http://proxy.domain.com:9090/affwebservices/public/saml2sso"

The local URL for Federation Web Services, http://idp.domain.com:8080/affwebservices/public/saml2sso, does not match the Destination attribute so SiteMinder denies the request.

You can specify a proxy configuration to alter how SiteMinder determines the local URL for verifying a message attribute. If you specify a proxy, SiteMinder replaces the <protocol>://<authority> portion of the local URL with the proxy server URL. The result is a match between the two URLs.