The Signature Policy screen provides options controlling how digital signatures are used for SAML messages. The choices made on this screen depend on your partner agreement (see Digital signing policy coordination).
- SAML 2.0
-
Digital signing is required for SAML response messages sent from the IdP via the POST or redirect binding. Based on the SAML specifications, PingFederate provides three options:
- Select the Always Sign Assertion check box alone to always sign the assertion portion inside the SAML response message.
- Select the Sign Response As Required check box alone to sign the SAML response message per the SAML specifications. (This is the default selection.)
- Select both check boxes to always sign the assertion portion inside the SAML response message for all bindings and to sign the SAML response message per the SAML specifications.
Authentication request messages from the SP may also be signed to enforce security. This scenario applies only when the SP-initiated SSO profile is enabled on the SAML Profiles screen.
- Select the Require Authn Requests to be Signed ... check box to enforce this digital signature requirement.
- SAML 1.x
-
For SAML 1.0 and SAML 1.1, the assertion portion inside the SAML response message can be digitally signed.
- Select the Always Sign Assertion check box to always sign the assertion portion inside the SAML response message.
- To continue, select the option (or options) based on your partner agreement.
If you are editing an existing connection, you can reconfigure the digital signature policy, which may require additional configuration changes in subsequent tasks.