PingFederate Server

Configuring signature verification settings (SAML 2.0)

You can configure the signature verification settings for the certificates in the PingFederate administrative console.

About this task

Depending on your partner agreement, digital signature processing might be required.

If you choose to require digital signatures on SAML 2.0 authentication requests on Protocol Settings → Signature Policy or inbound messages on Back-Channel Authentication → Inbound Authentication Type, you must configure the required certificate information that PingFederate can use to verify the signed messages.

The Signature Verification Settings tab is the launching point for this task. If digital signature verification is not required, the Signature Verification Settings tab is not shown.

Steps

  1. On the Signature Verification Settings tab, click Manage Signature Verification Settings.

  2. On the Trust Model window, select a trust model on the Certificate Verification Method tab.

    Anchored

    The partner certificate must be signed by a trusted certificate authority (CA). Optionally, you can also restrict the issuer to a specific Trusted CA to mitigate potential man-in-the-middle attacks and provide a means to isolate certificates used by different connections. The CA’s certificate must be imported into the PingFederate Trusted CA store on Security → Certificate & Key Management → Trusted CAs.

    If you are using the redirect binding for single logout (SLO), you cannot use anchored certificates because SAML 2.0 does not permit certificates to be included using this transport method.

    Unanchored

    The partner certificate is self-signed or you want to trust a specified certificate.

    When anchored certificates are used between partners, certificates can be changed without sending the update to your partner. If the certificate is unanchored, any changes must be promulgated.

    For more information, see Digital signing policy coordination.

    Trust model Subsequent steps

    Anchored

    On the Subject DN tab:

    1. Enter the Subject DN of the certificate or extract it from your service provider (SP) partner’s certificate if the certificate is stored on an accessible file system.

    2. Optionally, select the Restrict Issuer check box and enter the Issuer DN of the certificate. Alternatively, extract it from your partner’s certificate.

      You can enable this option to mitigate potential man-in-the-middle attacks and to provide a means to isolate certificates used by different connections.

    Unanchored

    On the Signature Verification Certificate tab:

    1. Select a certificate from the list. If you have not yet imported the certificate from your partner, click Manage Certificates to do so. For more information, see Managing certificates from partners.

    2. Optionally, select additional certificates.

      When configured, PingFederate considers a digital signature valid so long as it can verify the signature using one of the certificates from this list.

      This is useful in situations where your partner has sent you a certificate to replace the current certificate. Adding this second certificate allows PingFederate to continue validating digital signatures as the partner switches to the new signing certificate.

      It also adds support for scenarios where your partner uses a pool for certificates to sign its messages. Adding these certificates ensures digital signatures can be validated as the partner rotates its signing certificates.

  3. On the Summary tab, review your configuration and perform one of the following tasks.

    Amend your configuration

    Click the corresponding tab title and then follow the configuration wizard to complete the task.

    Keep your changes

    Click Done and continue with the rest of the configuration.

    When editing an existing configuration, you can also click Save as soon as the administrative console offers the opportunity to do so.

    Discard your changes

    Click Cancel.