The Signature Policy tab provides options controlling how digital signatures are used for SAML and WS-Federation single sign-on (SSO) messages.
The choices made on this tab depend on your partner agreement. For more information, see Digital signing policy coordination.
Digital signing is required for SAML response messages sent from the identity provider (IdP) through POST or redirect for SAML 2.0. The SAML specifications allow the signing of the entire SAML response message or the assertion portion inside the SAML response message. If you and your partner agree on the latter, select the Specify additional signature requirements and Require signed SAML Assertions options on this tab. When the latter is selected, only the assertion portion of the SAML response message is signed, not the entire SAML response message. This is the only option that appears for SAML 1.x and WS-Federation connections.
SAML 2.0 authentication requests from the service provider (SP) can also be signed to enforce security. This option appears only for SAML 2.0 connections and when the SP-initiated SSO profile is enabled on the SAML Profiles tab.
Select Always Sign Artifact Response if you want the SAML ArtifactResponse to be signed regardless of the protocol being used to transport it.
- To continue, select the options based on your partner agreement.
If you are editing an existing connection, you can reconfigure the digital signature policy, which might require additional configuration changes in subsequent tasks.