Configuring digital signatures for service provider connections - PingFederate

Configuring digital signatures for service provider connections - PingFederate - 11.2

PingFederate Server

bundle

pingfederate-112

ft:publication_title

PingFederate Server

Product_Version_ce

PingFederate 11.2

category

Administrator

Administratorguide

Audience

Capability

ContentType

DeploymentMethod

Guide

Product

Productdocumentation

SingleSignonSSO

Software

SystemAdministrator

pf-112

pingfederate

ContentType_ce

Guide

Guide > Administrator Guide

Product documentation

Digital signing is required for browser-based single sign-on (SSO) tokens and single logout (SLO) messages sent through POST or redirect bindings.

Digital signing is also required for WS-Trust STS service provider (SP) connections, for signing the outbound SAML security tokens.

Remember: Configuring digital signatures for SP connections is just one step in configuring an SP connection. For more information, see SP connection management.

For browser-based SSO, digital signing is not always required for profiles using the artifact or SOAP bindings unless you chose to sign the SAML assertion on Protocol Settings > Signature Policy, or the artifact resolution messages on Back-Channel Authentication > Outbound SOAP Authentication Type.

If digital signing is not required, PingFederate does not show the Digital Signature Settings tab.

On the Digital Signature Settings tab, select the certificate that you will use to sign the SSO tokens and SLO messages for the SP.
Select a signing certificate from the Signing Certificate list.
If you have not yet created or imported your certificate into PingFederate, click Manage Certificates. For more information, see Manage digital signing certificates and decryption keys.
Note:
For WS-Federation connections using JSON Web Tokens (JWTs), only EC and RSA certificates are supported. RSA certificates must have a minimum key size of 2,048 bits. The Signing Certificate list automatically filters out certificates that do not meet these requirements.
Optional: Select a Secondary Signing Certificate for inclusion in the connection metadata.

Note:
You can't add a secondary certificate if the primary certificate has certificate rotation enabled. Also, you can't use a certificate that has rotation enabled as the secondary signing certificate.
Optional: Select the Include the certificate in the signature <KeyInfo> element check box if you have agreed to send your public key with the message.

Note:
For WS-Trust STS, the <KeyInfo> element in the SAML token includes a reference to the certificate rather than the full certificate by default unless this check box is checked.

Note:
This step is not applicable to WS-Federation connections using JWTs.

Select the Include the raw key in the signature <KeyValue> element check box if your partner agreement requires it.
Optional: Select the signing algorithm from the list.
The default selection is RSA SHA256 or ECDSA SHA256, depending on the Key Algorithm value of the selected digital signing certificate. Make a different selection if you and your partner have agreed to use a stronger algorithm.