SAML 2.0 Authentication Scheme Encryption and Signing
Contents
casso10
HID_saml2-auth-encryption-signing
Contents
The Encryption and Signing dialog is where you configure the Service Provider encryption requirements when it receives an assertion. This page also lets you specify the signing configuration for authentication requests and single logout requests and responses. Finally, you specify the protection for the backchannel for HTTP Artifact single sign-on and attribute query processing.
SAML 2.0 Auth Scheme--Encryption
- EncryptionIndicates the requirements the Service Provider has for accepting an assertion. The fields are:
- Require Encrypted Name IDIndicates that the Name ID in the assertion must be encrypted. If the Name ID is not encrypted, the assertion is rejected.
- Require Encrypted AssertionIndicates that the entire assertion must be encrypted. If the assertion is not encrypted, it is rejected.
SAML 2.0 Auth Scheme--Decryption Private Key
- Decryption Private KeySpecifies the private key that decrypts assertion data.
- AliasSpecifies the alias for the private key that the Service Provider uses to decrypt encrypted assertion data. The private key must be in the certificate data store.
SAML 2.0 Auth Scheme--Digital Signature Information
D-Sig Info
Contains fields and controls that allow you to specify digital signature information. Digital signature information is required for the following features:
- HTTP-POST profile for single sign-on
- Single logout requests/responses
- Signed authentication requests
- Attribute queries
The fields in the section are:
- Disable Signature ProcessingDisables all signature processing, that is, signing and verification of signatures, for this Service Provider.Signature processing is requiredin a production environment. Select the Disable Signature Processing option only for debugging purposes.
- Signing OptionsDisplays a dialog with the settings for digital signature configuration, specifically the Signing Alias and the Signature Algorithm.
- Issuer DNSpecifies the distinguished name of the issuer of the certificate that is used for signature verification of messages coming from the Identity Provider. This value is used with the Serial Number to locate the certificate in the certificate data store.This field is enabled only if HTTP Post for single sign-on or HTTP Redirect for single logout is configured. If signature processing is disabled, this field is inactive.
- Serial NumberSpecifies the serial number (a hexadecimal string) of the certificate that is used for signature verification of messages coming from the Identity Provider. This value is used with the Issuer DN to locate the certificate in the certificate data store.Note:This field is enabled only if HTTP Post for single sign-on or HTTP Redirect for single logout is configured. If signature processing is disabled, this field is inactive.
SAML 2.0 Auth Scheme--Signature Processing
The Signature Processing section specifies the signing alias and hash algorithm for digital signing. The section contains the following settings:
- Signing AliasSpecifies the alias that is associated with a specific private key in the certificate data store. The alias indicates the private key the Service Provider uses to sign AuthnRequest messages, single logout requests and responses, and attribute queries that it sends to the IdP.Before you complete the Signing Alias field, complete one or more of the following tasks:
- To sign AuthnRequests, select the SignAuthnRequests check box on the SSO tab, then complete the Signing Alias and Signature Algorithm fields.
- To sign SLO messages, select the HTTP-Redirect check box on the SLO tab, then complete the Signing Alias and Signature Algorithm fields.
- To sign attribute queries, select Sign Attribute Query on the Attributes tab, then complete the Signing Alias and Signature Algorithm fields.
Add the private key to the key database before you specify its associated alias in this field.Value:An alphanumeric character string that identifies an existing alias in the SMKeyDatabase. - Signature AlgorithmSpecifies the hash algorithm for digital signing. Select the algorithm that best suits your application. RSAwithSHA256 is more secure than SHA1 due to the greater number of bits used in the cryptographic hash value.CA Single Sign-Onuses the algorithm that you select for all signing functions.Options:RSAwithSHA1, RSAwithSHA256Default:RSAwithSHA1
SAML 2.0 Auth Scheme--Backchannel
The Backchannel section defines the configuration of the secure back channel. The back channel has two functions:
- Single Sign-on between a Service Provider and Identity Provider.
- Attribute Queries and Responses between a SAML Requester and an Attribute Authority.
The following required fields serve the same function for both purposes, as follows:
- AuthenticationSpecifies the authentication method that is used across the back channel. The authentication scheme determines the type of credentials the Service Provider must present to the Identity Provider to retrieve the assertion.Options are:
- Client CertIndicates that the Artifact Resolution Service or Attribute Service is part of a realm. An X.509 client certificate authentication scheme protects this realm. If you select this option, configure access to the Artifact Resolution Service using a client certificate.In the SP Name field, enter the value of the SP ID from the General settings. The SP Name and password are the credentials the Service Provider must present to retrieve the assertion. These credentials are used to look up the certificate in the key store.The administrator at the Identity Provider must protect the Artifact Resolution Service with a client certificate authentication scheme.You can use non-FIPS 140 encrypted certificates to secure the back channel even if the Policy Server is operating in FIPS-only mode. However, for FIPS-only installations use certificates only encrypted with FIPS 140-compatible algorithms.
- BasicIndicates that the Single Sign-on or Attribute Service is part of a realm. A Basic or Basic over SSL authentication scheme protects this realm.(Default) If you select this option, no additional configuration is required, other than completing the remaining required fields. In the SP Name field, enter the value of the SP ID from the General settings. The SP Name and password are the credentials the Service Provider must present to retrieve the assertion.To use Basic over SSL, the Certificate Authority certificate that was used to enable the SSL connection must be in the certificate data store. If it is not, import the certificate into the certificate data store.
- NoAuthIndicates that the Single Sign-on or Attribute Service is not protected. If you select this option, no authentication is required.
- PasswordSpecifies the password the Identity Provider or Attribute Authority uses to access the Service Provider or SAML Requester through the back-channel. Enter a valid string from 3 to 255 characters.
- SP NameIdentifies the Service Provider object. This name must match a Service Provider or SAML Requester name that is specified at the Identity Provider or Attribute Authority.If you are using basic authentication as the authentication scheme for the back channel, the value of this field is the name of the Service Provider. If you are using client certificate authentication, the SP Name must be the alias of the client certificate in the certificate data store.
- Confirm PasswordConfirms the entry in the Password field.