Configuring digital signatures for identity provider connections
Managing digital signature settings defines the private key you will use to sign single sign-on (SSO) authentication or attribute requests (optionally) or SAML 2.0 single logout (SLO) messages for this identity provider (IdP).
About this task
This process allows you to include Key Info with the XML message if you and your partner have agreed to this option.
Digital signing applies to service provider (SP)-initiated SSO under SAML 2.0, when specified by your partner agreement, and to either SLO profile using the POST or redirect bindings. Digital signing also applies if you are configuring an Attribute Query profile and have specified that you will sign attribute requests.
The step is not required for SAML 1.x IdP connections.
Steps
-
On the Digital Signature Settings tab, select a signing certificate from the Signing Certificate list.
If you have not yet created or imported your certificate into PingFederate, click Manage Certificates. For more information, see Manage digital signing certificates and decryption keys.
-
Optional: Select a Secondary Signing Certificate for inclusion in the connection metadata.
You can’t add a secondary certificate if the primary certificate has certificate rotation enabled. Also, you can’t use a certificate that has rotation enabled as the secondary signing certificate.
-
Optional: Select the Include the certificate in the signature <KeyInfo> element check box if you have agreed to send your public key with the message.
Select the Include the raw key in the signature <KeyValue> element check box if your partner agreement requires it.
Select the signing algorithm from the list.
The default selection is RSA SHA256 or ECDSA SHA256, depending on the Key Algorithm value of the selected digital signing certificate. Make a different selection if you and your partner have agreed to use a stronger algorithm. For a list of the available signing algorithms and their URIs, see Signing algorithms.