Configuring Communication Security for a SAML 2.0 Service Provider

The security settings control the direct communication between Identity Server and a service provider across the SOAP back-channel.

  1. Click Devices > Identity Servers > Edit > SAML 2.0 > [service provider].

  2. Specify the following options under the Security section.

    Both identity provider and service provider must use the same security method.

    Field

    Description

    Encrypt assertions

    Select it if you want the assertions encrypted on the wire.

    Encrypt name identifiers

    Select it if you want the name identifiers encrypted on the wire.

    Certificate Settings: All service providers use the default signing and encryption certificates of the identity provider. You can add a secondary signing certificate that can be used when the default signing certificate expires. Specify the following details:

    Identity Provider Signing Certificate

    Select a certificate from the keystore and assign it to the service provider.

    To add a secondary certificate, click the Add (+) icon, select a certificate from the keystore, then click Assign to SP.

    You can delete the secondary certificate, but not the primary certificate. Access Manager uses primary certificate. If it is expired, Access Manager checks for the secondary certificate. If the secondary certificate is available, Access Manager automatically switches to use the secondary certificate. If the primary certificate is deleted, the secondary certificate becomes the primary certificate.

    Identity Provider Encryption Certificate

    Select a certificate from the keystore and assign it to the service provider.

    NOTE:When you assign custom certificates to each service provider while configuring Identity Server, ensure to export these certificates and custom metadata to the service provider. To retrieve the metadata, click the metadata link. This link is available in the note on the Trust page.

    For example, the default certificates have the following default metadata URL: <IDP URL>/nidp/saml2/metadata.

    The custom certificates have the following custom metadata URL for a service provider: <IDP URL>/nidp/saml2/metadata?PID=<SP Entity ID >.

    Certificate Revocation Check Periodicity

    Specifies if the certificate is valid or not. Select periodicity to validate the certificate.

    SOAP Back Channel Security Method: Select one of the following security methods:

    Message Signing

    Relies upon message signing by using a digital signature.

    Mutual SSL

    Specifies that this trusted provider provides a digital certificate (mutual SSL) when it sends a SOAP message.

    SSL communication requires only the client to trust the server. For mutual SSL, the server must also trust the client. For the client to trust the server, the server’s certificate authority (CA) certificate must be imported into the client trust store. For the server to trust the client, the client’s CA certificate must be imported into the server trust store.

    Basic Authentication

    Specifies standard header-based authentication. This method assumes that a name and password for authentication are sent and received over the SOAP back-channel.

    • Send: The name and password to be sent for authentication to the trusted partner. The partner expects this password for all SOAP back-channel requests, which means that the name and password must be agreed upon.

    • Verify: The name and password used to verify data that the trusted provider sends.

  3. Click OK > OK.

  4. Update Identity Server.

    If you want to update only the metadata of a specific service provider, select Devices > Identity Servers > Update All > SAML2 Trusted Provider Update > OK.