Message signing
Certificates contain information about the certificate owner along with a public key. Applying a digital signature creates and encrypts a hash from the signing message using the private key.
PingFederate provides a choice of signature encryption algorithms when you require a stronger algorithm.
To ensure the integrity of SAML messages or security token service (STS) tokens, we recommend digital signing practices using public/private keypairs in conjunction with X.509 certificates.
Digital signatures do not encrypt the contents of a message; instead, messages use XML encryption when needed. |
Ping Identity recommends a certificate signed by a certificate authority (CA); however, PingFederate will work with self-signed or untrusted third-party-signed certificates. After generating a keypair and a self-signed certificate, use PingFederate to create a certificate signing request (CSR) and send it to a CA for signing. After the CA has generated a CSR, import it into PingFederate’s certificate management system. PingFederate’s trusted store or the Java runtime cacerts
store must contain the CA’s certificate.
PingFederate enables signing and validation of requests and responses. Additionally, PingFederate provides for certificate generation, import and export functionality, CSR generation, and application of digital signatures. You have the option to create reusable global signing certificates across your federated connection base and import signature verification certificates for each partner. For more information, see Manage digital signing certificates and decryption keys.
Ping Identity recommends generating unique certificates for each connection, which limits exposure if the private key becomes compromised. |
Signature validation
After receiving a signed message, PingFederate verifies the signature using the public key that corresponds with the private key used to sign the message or token. Verification involves creating a hash of the received message, using the signing partner’s public key to decrypt the hash sent with the original message, and verifying that both hash values are equal.