SAML Service Provider Encryption and Signing Options
Contents
casso127
HID_sp-encryption-signing
Contents
SAML 2.0 Encryption Settings
The Encryption section lets you configure encryption for a SAML assertion. If you enable encryption, all data in the assertion is encrypted, including all attribute statements.
To encrypt only individual attribute statements, go to the Attributes settings, select or create an attribute, and select the Encrypted check box for the individual attribute.
The encryption settings are:
- Encrypt Name IDSpecifies the Name ID in the assertion is encrypted.
- Encryption Block AlgorithmSpecifies the block algorithm for encryption. Select one of the following algorithms:
- tripledes (the default)
- aes-128
- aes-256
- Encrypt AssertionEnables encryption of the assertion.
- Encryption Key AlgorithmSpecifies the key algorithm for encryption. Select one:
- rsa-v15 (the default)
- rsa-oaepThe minimum memory that is required to use the rsa-oaep encryption algorithm is a 1024 bits.
- Encryption Public Key CertificateThese settings specify the location of the public certificate of the Service Provider.SAML 2.0 Signing SettingsIf the Encrypt Name ID or the Encrypt Assertion option is set, or any assertion attribute needs encryption, complete both fields.
SAML 2.0 Signing Settings
The Signature section lets you specify digital signature processing information for the assertion response.
The D-Sig Info settings are:
- Disable Signature ProcessingDisables all signature processing for this Service Provider (signing and verification of signatures).Signature processing is required in a production environment. Select the Disable Signature Processing option for debugging.
- Issuer DNSpecifies the distinguished name of the issuer of the certificate that is used to verify the signature of a SAML message coming from a Service Provider. This value is used with the serial number to locate the certificate in the certificate data store.The Issuer DN field is only active when the HTTP Post or the HTTP redirect binding option is set on the SAML Profiles page.
- Require Signed AuthnRequestsIndicates that AuthnRequest messages require signing for the Identity Provider to accept the request. If you select this check box, the Identity Provider cannot send unsolicited responses, securing a trust between the Identity Provider and the Service Provider.If you enable this feature, complete the Issuer DN and Serial Number settings to validate the signature of the AuthnRequest.
- Serial NumberSpecifies the serial number (a hexadecimal string) of the certificate that is used to verify the signature of a SAML message coming from a Service Provider. This value is used with the Issuer DN to locate the certificate in the certificate data store.The Serial Number field is only active when the HTTP Post or the HTTP redirect binding option is set on the SAML Profiles page.
The Signing Options are:
- Signing AliasSpecifies the alias that is associated with a specific private key in the certificate data store. The alias indicates which private key the IdP uses to sign assertions, SAML responses, artifact responses, attribute responses, single logout requests, and responses.
- To sign SLO messages, select the HTTP-Redirect option for single logout, then configure this field and the Signature Algorithm fields.
- To sign attribute responses, select Signing Options for the Attribute Svc settings on the Attributes page. Additionally, configure this field and Signature Algorithm fields.
Add the private key to the certificate data store before you specify its alias in this field.Limits:An alphanumeric string corresponding to an alias in the certificate data store. - Require Signed ArtifactResolveIndicates that the Service Provider must sign the artifact resolve message before sending the message to the IdP. The artifact resolve message is the request from the SP to retrieve the original SAML message. If you select this option, the Service Provider must sign the artifact resolve message or the Identity Provider rejects the request.If the IdP requires signed artifact resolve messages, the Service Provider are enabled to sign the artifact resolve message.Digital signature processing is enabled to process the signed artifact resolve message.
- Sign ArtifactResponseIndicates that the Identity Provider must sign the artifact response before returning it to the Service Provider. The artifact response contains the original SAML response with the assertion.If you require the IdP to sign the artifact response, the Service Provider is configured to accept a signed response.Digital signature processing is enabled to sign the artifact response.
- Signature AlgorithmDesignates the hash algorithm for digital signing. Select the algorithm that best suits your application. RSAwithSHA256 is more secure than SHA1 due to the greater number of bits used in the resulting cryptographic hash value.CA Single Sign-Onuses the algorithm that you select for all signing functions.Limits:RSAwithSHA1, RSAwithSHA256Default:RSAwithSHA1
- Artifact Signature OptionsIndicates the artifact signature option for the Identity Provider when responding to an authentication request for HTTP-Artifact single sign-on.Limits:
- Sign AssertionSigns the assertion.
- Sign ResponseSigns the SAML response that contains the assertion.
- Sign BothSigns the assertion and the SAML response.
- Sign NeitherSigns neither the assertion or the SAML response.
Default:Sign Neither - Post Signature OptionsIndicates the post signature option for the Identity Provider signs when responding to an authentication request for HTTP-POST single sign-on.Limits:
- Sign AssertionSigns the assertion.
- Sign ResponseSigns the SAML response that contains the assertion.
- Sign BothSigns the assertion and the SAML response.
Default:Sign Assertion