Configuring signature policy
The Signature Policy tab provides options controlling how digital signatures are used for SAML and WS-Federation single sign-on (SSO) messages.
About this task
The choices made on this tab depend on your partner agreement. For more information, see Digital signing policy coordination.
Digital signing is required for SAML response messages sent from the identity provider (IdP) through POST or redirect for SAML 2.0. The SAML specifications allow the signing of the entire SAML response message or the assertion portion inside the SAML response message. If you and your partner agree on the latter, select the Specify additional signature requirements and Require signed SAML Assertions options on this tab. When the latter is selected, only the assertion portion of the SAML response message is signed, not the entire SAML response message. This is the only option that appears for SAML 1.x and WS-Federation connections.
SAML 2.0 authentication requests from the service provider (SP) can also be signed to enforce security. This option appears only for SAML 2.0 connections and when the SP-initiated SSO profile is enabled on the SAML Profiles tab.
Select Always Sign Artifact Response if you want the SAML ArtifactResponse to be signed regardless of the protocol being used to transport it.