SAML Service Provider Encryption and Signing Options

Contents
casso126
HID_sp-encryption-signing
The Encryption & Signing page includes settings for digital signature and encryption configuration.
Contents
SAML 2.0 Encryption Settings
The Encryption section lets you configure encryption for a SAML assertion. If you enable encryption, all data in the assertion is encrypted, including all attribute statements.
To encrypt only individual attribute statements, go to the Attributes settings, select or create an attribute, and select the Encrypted check box for the individual attribute.
The encryption settings are:
  • Encrypt Name ID
    Specifies the Name ID in the assertion is encrypted.
  • Encryption Block Algorithm
    Specifies the block algorithm for encryption. Select one of the following algorithms:
    • tripledes (the default)
    • aes-128
    • aes-256
  • Encrypt Assertion
    Enables encryption of the assertion.
  • Encryption Key Algorithm
    Specifies the key algorithm for encryption. Select one:
    • rsa-v15 (the default)
    • rsa-oaep
      The minimum memory that is required to use the rsa-oaep encryption algorithm is a 1024 bits.
  • Encryption Public Key Certificate
    These settings specify the location of the public certificate of the Service Provider.SAML 2.0 Signing Settings
    If the Encrypt Name ID or the Encrypt Assertion option is set, or any assertion attribute needs encryption, complete both fields.
SAML 2.0 Signing Settings
The Signature section lets you specify digital signature processing information for the assertion response.
The D-Sig Info settings are:
  • Disable Signature Processing
    Disables all signature processing for this Service Provider (signing and verification of signatures).
    Signature processing is required in a production environment. Select the Disable Signature Processing option for debugging.
  • Issuer DN
    Specifies the distinguished name of the issuer of the certificate that is used to verify the signature of a SAML message coming from a Service Provider. This value is used with the serial number to locate the certificate in the certificate data store.
    The Issuer DN field is only active when the HTTP Post or the HTTP redirect binding option is set on the SAML Profiles page.
  • Require Signed AuthnRequests
    Indicates that AuthnRequest messages require signing for the Identity Provider to accept the request. If you select this check box, the Identity Provider cannot send unsolicited responses, securing a trust between the Identity Provider and the Service Provider.
    If you enable this feature, complete the Issuer DN and Serial Number settings to validate the signature of the AuthnRequest.
  • Serial Number
    Specifies the serial number (a hexadecimal string) of the certificate that is used to verify the signature of a SAML message coming from a Service Provider. This value is used with the Issuer DN to locate the certificate in the certificate data store.
    The Serial Number field is only active when the HTTP Post or the HTTP redirect binding option is set on the SAML Profiles page.
The Signing Options are:
  • Signing Alias
    Specifies the alias that is associated with a specific private key in the certificate data store. The alias indicates which private key the IdP uses to sign assertions, SAML responses, artifact responses, attribute responses, single logout requests, and responses.
    • To sign SLO messages, select the HTTP-Redirect option for single logout, then configure this field and the Signature Algorithm fields.
    • To sign attribute responses, select Signing Options for the Attribute Svc settings on the Attributes page. Additionally, configure this field and Signature Algorithm fields.
    Add the private key to the certificate data store before you specify its alias in this field.
    Limits:
    An alphanumeric string corresponding to an alias in the certificate data store.
  • Require Signed ArtifactResolve
    Indicates that the Service Provider must sign the artifact resolve message before sending the message to the IdP. The artifact resolve message is the request from the SP to retrieve the original SAML message. If you select this option, the Service Provider must sign the artifact resolve message or the Identity Provider rejects the request.
    If the IdP requires signed artifact resolve messages, the Service Provider are enabled to sign the artifact resolve message.
    Digital signature processing is enabled to process the signed artifact resolve message.
  • Sign ArtifactResponse
    Indicates that the Identity Provider must sign the artifact response before returning it to the Service Provider. The artifact response contains the original SAML response with the assertion.
    If you require the IdP to sign the artifact response, the Service Provider is configured to accept a signed response.
    Digital signature processing is enabled to sign the artifact response.
  • Signature Algorithm
    Designates the hash algorithm for digital signing. Select the algorithm that best suits your application. RSAwithSHA256 is more secure than SHA1 due to the greater number of bits used in the resulting cryptographic hash value.
    CA Single Sign-On
    uses the algorithm that you select for all signing functions.
    Limits:
    RSAwithSHA1, RSAwithSHA256
    Default:
    RSAwithSHA1
  • Artifact Signature Options
    Indicates the artifact signature option for the Identity Provider when responding to an authentication request for HTTP-Artifact single sign-on.
    Limits:
    • Sign Assertion
      Signs the assertion.
    • Sign Response
      Signs the SAML response that contains the assertion.
    • Sign Both
      Signs the assertion and the SAML response.
    • Sign Neither
      Signs neither the assertion or the SAML response.
    Default:
    Sign Neither
  • Post Signature Options
    Indicates the post signature option for the Identity Provider signs when responding to an authentication request for HTTP-POST single sign-on.
    Limits:
    • Sign Assertion
      Signs the assertion.
    • Sign Response
      Signs the SAML response that contains the assertion.
    • Sign Both
      Signs the assertion and the SAML response.
    Default:
    Sign Assertion