Signature and Encryption Dialog (SAML 2.0 IdP)
This Signature and Encryption step lets you configure options for signing and encrypting SAML assertions.
Signature (SAML 2.0 IdP)
The Signature section lets you configure options for signing assertions, assertion responses, single logout requests, and single logout responses. This section displays the following settings:
- Disable Signature ProcessingIf set, all signature processing (both signing and verification of signatures) is disabled for the partnership.Signature processing is enabled in a production environment. Use the setting Disable Signature Processing only for debugging.
- Signing Private Key AliasSpecifies the alias that is associated with a private key in the certificate data store used to sign assertions and SLO responses. Select an alias from the pull-down list. If there is no key in the certificate data store, click Import to import a key. Alternatively, click Generate to generate a key/certificate request that you can send to a Certificate Authority.
- Signing AlgorithmDesignates the hash algorithm for the digital signing of assertions, responses and SLO SOAP messages. Select the algorithm that best suits your application.RSAwithSHA256 is more secure than RSAwithSHA1 due to the greater number of bits used in the resulting cryptographic hash value.The algorithm that you select is used for all signing functions.
- Verification Certificate AliasIdentifies the alias that is associated with the certificate (public key) used to verify signed authentication requests and SLO responses. Select an alias from the pull-down list. If no certificate is in the certificate data store, click Import to import a certificate. Alternatively, click Generate to generate a certificate request that you can send to a Certificate Authority.
- Secondary Verification Certificate Alias(Optional) Specifies a second certificate alias for a certificate in the certificate data store. If verification of a signed authentication request fails using the verification certificate alias, the IdP uses this secondary verification alias. Specifying a secondary alias is useful if an SP rolls over its signing certificate. A rollover can occur for any reason, such as when a certificate expires, a private key is compromised, or the private key size changes. If the certificate is not already in the certificate data store, clickImportto import one.When secondary certificates are configured or updated for an active partnership, the run time automatically picks up the changes. You do not need to flush the cache from the UI for the changes to take effect.
- Artifact Signature OptionsIndicates whether the assertion or the response or both are signed for artifact single sign-on.
- POST Signature OptionsIndicates whether the assertion or response or both are signed for POST single sign-on.
- SLO SOAP Signature OptionsIndicates whether the SOAP request, response or both are signed for SLO using the SOAP binding.
- Require Signed Authentication RequestsIndicates that authentication request messages that the relying party sends are signed or the asserting party does not accept the request.
- Require Signed ArtifactResolveIndicates that the Service Provider must sign the artifact resolve message before sending the message to the Identity Provider. The artifact resolve message is the request from the SP to retrieve the original SAML message. If you select this option, the Service Provider must sign the artifact resolve message or the Identity Provider rejects the request.If the Identity Provider requires signed artifact resolve messages, the Service Provider is enabled to sign the artifact resolve message.Digital signature processing is enabled to process the signed artifact resolve message.
- Sign ArtifactResponseIndicates that the Identity Provider must sign the artifact response before returning it to the Service Provider. The artifact response contains the original SAML response with the assertion.If you require the Identity Provider to sign the artifact response, the Service Provider is configured to accept a signed response.Digital signature processing is enabled to sign the artifact response.
Encryption (SAML 2.0 SP)
The Encryption section lets you designate the encryption for a SAML assertion. This section displays the following settings:
- Encryption OptionsLets you select whether to encrypt the Name ID and the entire assertion.Note: If you select Encrypt Assertion, we recommend that you set POST Signature and/or Artifact Signature toSign ResponseorSign Both.
- SLO over SOAP OptionsIndicates whether to encrypt the Name ID in the SOAP message or to require that any received SOAP messages contain an encrypted Name ID.
- Encryption Certificate AliasIdentifies an alias for the certificate that is used to encrypt assertion data. The corresponding private key at the relying party decrypts the data. Select an alias from the pull-down menu. If there is no certificate in the certificate data store, click Import to import a certificate. Alternatively, click Generate to generate a certificate request that can be sent to a Certificate Authority.
- Block AlgorithmIdentifies the block cipher method for encrypting data. The block algorithm codes fixed blocks of input.
- Key AlgorithmSpecifies the key algorithm for encryption.Note:The minimum key size that is required to use the rsa-oaep encryption algorithm is 1024-bit.Important!1024-bit certificates are not supported with SHA-384 and SHA-512 key algorithms.
- Decryption Private Key AliasSpecifies the key for decrypting any encrypted data in the AuthnRequest message from the relying party. If there is no key in the certificate data store, click Import to import one. Alternatively, click Generate to generate a request that can be sent to a Certificate Authority.