Previous Topic: Configure Signout for WS-FederationNext Topic: Set Up Links to Initiate WS-Federation Single Sign-on

Federation Security Services GuideConfigure SiteMinder as an Account PartnerConfigure Signout for WS-FederationValidate Signout Requests that are Digitally Signed

Validate Signout Requests that are Digitally Signed

The WS-Federation Passive Requester profile requires signature processing. Enable signature processing in a production environment. SiteMinder acting as a Resource Partner always signs WS-Federation signout requests. No configuration in the Administrative UI is required. The only required step is to add the private key/certificate pair to the certificate data store for the SiteMinder Resource Partner.

Important! For debugging purposes only, you can temporarily disable all signature processing on the General dialog.

For the Account Partner to validate signout request signatures, some configuration is required.

To enable validation

  1. Add the public key to the certificate data store at the Account Partner.

    The public key must correspond to the private key/certificate pair that the Resource Partner used to do the signing.

    Note: For information about the certificate data store, see the Policy Server Configuration Guide.

  2. Navigate to the SAML Profiles page for the Resource Partner object you are configuring.
  3. Select Enable Signout in the Signout section.

    By selecting this check box, signout is enabled and the Account Partner validates the signature of the signout request.