Federation Security Services Guide › Signing and Encrypting Messages to Secure Federated Transactions › SmKeyDatabase Overview › Role of the Smkeydatabase at the Asserting Party

Role of the Smkeydatabase at the Asserting Party

At the asserting party, the smkeydatabase is used for the following features:

• Single sign-on (SAML 1.x POST profile, SAML 2.0 POST binding, or WS-Federation)

  For SAML 1.x POST binding, SAML 2.0 POST binding or WS-Federation Passive Requester Profile, the asserting party needs to sign the SAML the assertion. The relying party that receives the assertion verifies that signature.

• Encryption of assertions, Name IDs and attributes for SAML 2.0 artifact or POST authentication

  If you enable encryption, the asserting party must provide the public key certificate of the Service Provider for encrypting the data, while the relying party uses a private key to decrypt the data.

• Single logout

  For single logout, the side initiating the logout request signs the request and the side receiving the request validates the signature. Conversely, the receiving side must sign the response and the initiator must validate the response.

• AuthnRequests for Single sign-on

  The Identity Provider can require that the Service Provider sign AuthnRequest messages. To sign these messages, you have to have a private key and certificate. The Identity Provider then needs to validate the request with the public key that corresponds to the private key.

To accomplish signing, verification, and encryption, you must set up an smkeydatabase for each Policy Server that is responsible for signing, verification, and encryption.