PingFederate Server

Defining signature policy (SAML)

On the Signature Policy tab, you can control how digital signatures are used for SAML messages.

Before you begin

For prerequisites and initial steps for configuring Browser SSO protocols, see Configuring protocol settings.

About this task

The choices made in this tab depend on your partner agreement and your federation protocol. For more information, see Digital signing policy coordination.

SAML 2.0

Digital signing is required for SAML response messages sent from the identity provider (IdP) with the POST or redirect binding. Based on the SAML specifications, PingFederate provides three options:

  • Select Always Sign Assertion to always sign the assertion portion inside the SAML response message.

  • Select Sign Response As Required to sign the SAML response message per the SAML specifications. This is the default selection.

  • Select both to always sign the assertion portion inside the SAML response message for all bindings and to sign the SAML response message per the SAML specifications.

Authentication request messages from the service provider (SP) may also be signed to enforce security. This scenario applies only when the SP-initiated single sign-on (SSO) profile is enabled on the SAML Profiles tab. SelectRequire Authn Requests to be Signed to enforce this digital signature requirement. For more information, see Choosing SAML 2.0 profiles.

SAML 1.x

For SAML 1.0 and SAML 1.1, the assertion portion inside the SAML response message can be digitally signed.

  • Select Always Sign Assertion to always sign the assertion portion inside the SAML response message.

Steps

  1. On the Signature Policy tab, select the options based on your partner agreement and federation protocol.

  2. Click Next to save changes.

Result

If you are editing an existing connection, you can reconfigure the digital signature policy, which might require additional configuration changes in subsequent tasks.