Configuring signature policy - PingFederate - 11.3

PingFederate Server

bundle
pingfederate-113
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.3 (Latest)
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-113
pingfederate
ContentType_ce
Product documentation
Guide > Administrator Guide
Guide

The Signature Policy tab provides options controlling how digital signatures are used for SAML and WS-Federation single sign-on (SSO) messages.

The choices made on this tab depend on your partner agreement. For more information, see Digital signing policy coordination.

Digital signing is required for SAML response messages sent from the identity provider (IdP) through POST or redirect for SAML 2.0. The SAML specifications allow the signing of the entire SAML response message or the assertion portion inside the SAML response message. If you and your partner agree on the latter, select the Specify additional signature requirements and Require signed SAML Assertions options on this tab. When the latter is selected, only the assertion portion of the SAML response message is signed, not the entire SAML response message. This is the only option that appears for SAML 1.x and WS-Federation connections.

SAML 2.0 authentication requests from the service provider (SP) can also be signed to enforce security. This option appears only for SAML 2.0 connections and when the SP-initiated SSO profile is enabled on the SAML Profiles tab.

Select Always Sign Artifact Response if you want the SAML ArtifactResponse to be signed regardless of the protocol being used to transport it.

To continue, select the options based on your partner agreement.

If you are editing an existing connection, you can reconfigure the digital signature policy, which might require additional configuration changes in subsequent tasks.