Defining signature policy (SAML)
On the Signature Policy tab, you can control how digital signatures are used for SAML messages.
Before you begin
For prerequisites and initial steps for configuring Browser SSO protocols, see Configuring protocol settings.
About this task
The choices made in this tab depend on your partner agreement and your federation protocol. For more information, see Digital signing policy coordination.
- SAML 2.0
-
Digital signing is required for SAML response messages sent from the identity provider (IdP) with the POST or redirect binding. Based on the SAML specifications, PingFederate provides three options:
-
Select Always Sign Assertion to always sign the assertion portion inside the SAML response message.
-
Select Sign Response As Required to sign the SAML response message per the SAML specifications. This is the default selection.
-
Select both to always sign the assertion portion inside the SAML response message for all bindings and to sign the SAML response message per the SAML specifications.
-
Authentication request messages from the service provider (SP) may also be signed to enforce security. This scenario applies only when the SP-initiated single sign-on (SSO) profile is enabled on the SAML Profiles tab. SelectRequire Authn Requests to be Signed to enforce this digital signature requirement. For more information, see Choosing SAML 2.0 profiles.
- SAML 1.x
-
For SAML 1.0 and SAML 1.1, the assertion portion inside the SAML response message can be digitally signed.
-
Select Always Sign Assertion to always sign the assertion portion inside the SAML response message.
-