Federation Security Services Guide › Configure SiteMinder as a SAML 2.0 Identity Provider › Configure Identity Provider Discovery at the IdP › Enabling Encryption

Enabling Encryption

To implement encryption

1. Log in to the FSS Administrative UI and access the SAML Service Provider Properties dialog box for the Service Provider you want to configure.
2. From the SAML Service Provider Properties dialog box, select the Encryption tab.

   Note: Click Help for a description of fields, controls, and their respective requirements.

3. To encrypt only the Name ID, select the Encrypt Name ID checkbox.
4. To encrypt the entire assertion, select the Encrypt Assertion checkbox.

   You can select the Name ID and the assertion; both can be encrypted.

5. Choose an Encryption Block Algorithm and Encryption Key Algorithm. These algorithms are defined by the WC3 XML Syntax and Processing standards.

   After you select an encryption check box, the fields in the Encryption Public Key become active.

   Notes:

   • If you select rsa-oaep as an Encryption Key Algorithm, the minimum key size required is a 1024 bits.
   • To use the aes-256 bit encryption block algorithm, install Sun's Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. You can download these files from http://java.sun.com/javase/downloads/index.jsp
6. Fill-in the IssuerDN and the Serial Number fields.

   The IssuerDN is the DN of the certificate issuer and its associated serial number. This information locates the certificate of the Service Provider in the key store. The data should be supplied by the Service Provider.

   Additionally, the IssuerDN and Serial Number that you enter here and on the General tab must match an IssuerDN and serial number of a key stored in the Identity Provider’s key store database. The key store is created using the SiteMinder keytool utility.

7. Click OK to save your changes.

Request Processing with a Proxy Server at the IdP

Before SiteMinder processes a request as an Identity Provider, it validates the message attributes using the local URL for the Federation Web Services application.

For example, an AuthnRequest message from an SP can contain the following attribute:

Destination="http://idp.domain.com:8080/affwebservices/public/saml2sso"

In this example, the destination attribute in the AuthnRequest and the address of the Federation Web Services application are the same. SiteMinder verifies that the destination attribute matches the local URL of the FWS application.

If SiteMinder sits behind a proxy server, the local and destination attribute URLs are not the same. The Destination attribute is the URL of the proxy server. For example, the AuthnRequest can include the following Destination attribute:

Destination="http://proxy.domain.com:9090/affwebservices/public/saml2sso"

The local URL for Federation Web Services, http://idp.domain.com:8080/affwebservices/public/saml2sso, does not match the Destination attribute so SiteMinder denies the request.

You can specify a proxy configuration to alter how SiteMinder determines the local URL for verifying a message attribute. If you specify a proxy, SiteMinder replaces the <protocol>://<authority> portion of the local URL with the proxy server URL. The result is a match between the two URLs.