Configuring digital signature settings - PingFederate

Configuring digital signature settings - PingFederate - 10.0

PingFederate Server

bundle

pingfederate-100

ft:publication_title

PingFederate Server

Product_Version_ce

PingFederate 10.0

category

Product

pf-100

pingfederate

ContentType_ce

Page created: 12 Sep 2019 |

Page updated: 19 Mar 2020

| 2 min read

PingFederate 10.0 Product Configuration User task Single Sign-on (SSO) Capability Software Deployment Method Product documentation Content Type Administrator Audience

Digital signing is required for browser-based SSO tokens and SLO messages sent via POST or redirect bindings. It is also required for WS-Trust STS SP connections (for the purpose of signing the outbound SAML security tokens).

On the Digital Signature Settings screen, select the certificate that you will use to sign the SSO tokens and SLO messages for this SP.

Note that, for browser-based SSO, digital signing is not always required for profiles using the artifact or SOAP bindings unless you chose to sign the SAML assertion on the Protocol Settings > Signature Policy screen or the artifact resolution messages on the Back-Channel Authentication > Outbound SOAP Authentication Type screen.

If digital signing is not required, the Digital Signature Settings screen is not shown.

Select a signing certificate from the list.

If you have not yet created or imported your certificate into PingFederate, click Manage Certificates (see Managing digital signing certificates and decryption keys).

Note:
For WS-Federation connections using JSON Web Tokens, only EC and RSA certificates are supported. Furthermore, RSA certificates must have a minimum key size of 2,048 bits. The Signing Certificate list automatically filters out certificates that do not meet these requirements.
Optional: Select the Include the certificate in the signature <KeyInfo> element check box if you have agreed to send your public key with the message.

Note:
For WS-Trust STS, the <KeyInfo> element in the SAML token includes a reference to the certificate rather than the full certificate by default unless this check box is checked.

Note:
This step is not applicable to WS-Federation connections using JSON Web Tokens.

Select the Include the raw key in the signature <KeyValue> element check box if your partner agreement requires it.
Optional: Select the signing algorithm from the list.
The default selection is RSA SHA256 or ECDSA SHA256, depending on the Key Algorithm value of the selected digital signing certificate. Make a different selection if you and your partner have agreed to use a stronger algorithm.