Federation › Federation Security Services Guide › Configure SiteMinder as a SAML 2.0 Identity Provider › Encrypt a NameID and an Assertion › Enabling Encryption

Enabling Encryption

To implement encryption

1. Log in to the Policy Server User Interface and access the SAML Service Provider Properties dialog box for the Service Provider you want to configure.
2. From the SAML Service Provider Properties dialog box, select the Encryption tab.

   Note: Click Help for a description of fields, controls, and their respective requirements.

3. To encrypt only the Name ID, select the Encrypt Name ID checkbox.
4. To encrypt the entire assertion, select the Encrypt Assertion checkbox.

   You can select the Name ID and the assertion; both can be encrypted.

5. Choose an Encryption Block Algorithm and Encryption Key Algorithm. These algorithms are defined by the WC3 XML Syntax and Processing standards.

   After you select an encryption check box, the fields in the Encryption Public Key become active.

   Notes:

   • If you select rsa-oaep as an Encryption Key Algorithm, the minimum key size required is a 1024 bits.
   • To use the aes-256 bit encryption block algorithm, install Sun's Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. You can download these files from http://java.sun.com/javase/downloads/index.jsp
6. Fill-in the IssuerDN and the Serial Number fields.

   The IssuerDN is the DN of the certificate issuer and its associated serial number. This information locates the certificate of the Service Provider in the key store. The data should be supplied by the Service Provider.

   Additionally, the IssuerDN and Serial Number that you enter here and on the General tab must match an IssuerDN and serial number of a key stored in the Identity Provider’s key store database. The key store is created using the SiteMinder keytool utility.

7. Click OK to save your changes.

More Information:

SAML Service Provider Dialog--Encryption Tab

Manage the Key Database for Signing and Encryption