--- title: Configuring digital signatures for service provider connections description: Digital signing is required for browser-based single sign-on (SSO) tokens and single logout (SLO) messages sent through POST or redirect bindings. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_configuring_digital_signatures_service_provider_connections canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_configuring_digital_signatures_service_provider_connections.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 10, 2024 section_ids: about-this-task: About this task steps: Steps --- # Configuring digital signatures for service provider connections Digital signing is required for browser-based single sign-on (SSO) tokens and single logout (SLO) messages sent through POST or redirect bindings. ## About this task Digital signing is also required for: * WS-Trust STS service provider (SP) connections, for signing the outbound SAML security tokens. * [OAuth Token Exchange SP connections](pf_configuring_sp_connections_oauth_token_exchange.html), for signing outbound JWT tokens. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Configuring digital signatures for SP connections is just one step in configuring an SP connection. For more information, see [SP connection management](pf_sp_connect_management.html). | For browser-based SSO, digital signing is not always required for profiles using the artifact or SOAP bindings unless you chose to sign the SAML assertion on **Protocol Settings > Signature Policy**, or the artifact resolution messages on **Back-Channel Authentication > Outbound SOAP Authentication Type**. If digital signing is not required, PingFederate does not show the **Digital Signature Settings** tab. ## Steps 1. On the **Digital Signature Settings** tab, select the certificate that you will use to sign the SSO tokens and SLO messages for the SP. 2. Select a signing certificate from the **Signing Certificate** list. If you have not yet created or imported your certificate into PingFederate, click **Manage Certificates**. For more information, see [Manage digital signing certificates and decryption keys](help_certmanagementtasklet_dsigsigningcert_certmanagementstate.html). | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For WS-Federation connections using JSON Web Tokens (JWTs), only EC and RSA certificates are supported. RSA certificates must have a minimum key size of 2,048 bits. The **Signing Certificate** list automatically filters out certificates that do not meet these requirements. | 3. (Optional) Select a **Secondary Signing Certificate** for inclusion in the connection metadata. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can't add a secondary certificate if the primary certificate has certificate rotation enabled. Also, you can't use a certificate that has rotation enabled as the secondary signing certificate. | | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To deselect an existing secondary signing certificate, select **-SELECT-** in the **Secondary Signing Certificate** list. You can then delete the certificate by clicking **Manage Certificates** and selecting **Delete** from the **Actions** list. | 4. (Optional) Select the **Include the certificate in the signature \ element** checkbox if you have agreed to send your public key with the message. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For WS-Trust STS, the `` element in the SAML token includes a reference to the certificate rather than the full certificate by default unless this checkbox is checked. | | | | | - | ------------------------------------------------------------------------------------------------------- | | | This step isn't applicable to WS-Federation connections using JWTs or OAuth token exchange connections. | Select the **Include the raw key in the signature \ element** checkbox if your partner agreement requires it. Select the signing algorithm from the list. The default selection is **RSA SHA256** or **ECDSA SHA256**, depending on the **Key Algorithm** value of the selected digital signing certificate. Make a different selection if you and your partner have agreed to use a stronger algorithm. For a list of the available signing algorithms and their URIs, see [Signing algorithms](pf_signing_algorithms.html).