How Access Manager Uses Signing and Interacts with the netHSM Server

The netHSM server provides a signing certificate that is used instead of the one provided by Access Manager. Requests, responses, assertions, or payloads can be signed when there are interactions during single sign-on or during attribute queries between service providers and identity providers using any of SAML2 or ID-SIS protocols.

Access Manager Services That Use the Signing Certificate

The following services can use signing:

Protocols

The protocols can be configured to sign authentication requests.

To view your current configuration:

  1. On the Home page, click Identity Servers > [cluster name].

  2. In the Identity Provider section, view the setting for the Require Signed Authentication Requests option. If it is selected, all authentication requests from identity providers are signed.

  3. In the Identity Consumer section, view the settings for the Require Signed Assertions and Sign Authentication Requests options. If these options are selected, assertions and authentication requests are signed.

Protocols communicate directly with a provider using the SOAP backchannel. This channel is used for artifact resolutions and attribute queries for the Identity Web Services Framework.

To view your current configuration for the SOAP backchannel:

  1. On the Home page, click Applications > Select a Cluster > [application name] > SAML v2.0 Identity Provider or SAML v2.0 Identity Provider.

  2. View the Security section. If the Message Signing option is selected, signing is enabled for the SOAP backchannel.

Profiles

Any of the Web Service Provider profiles can be enabled for signing by configuring them to use X.509 for their security mechanism. For current configuration, see Web Service Provider API (https://<admin-console-host>:<admin-console-port>/nps/swagger-ui.html). If either Peer entity = None, Message=X509 or Peer entity = MutualTLS, Message=X509 has been selected as the security mechanism, signing has been enabled for the profile.

Understanding the Interaction of the netHSM Server with Access Manager

Figure 14-2 outlines one of the basic flows that might occur during single sign-on to Identity Server when authentication requests have been configured for signing.

Figure 14-2 Basic Flow for an Authentication Request Using netHSM

  1. A user requests Access Gateway to provide access to a protected resource.

  2. Access Gateway redirects the user to Identity Server, which prompts the user for a username and password.

  3. Identity Server authenticates the user. If signing is enabled, the payload is signed by the netHSM server through the Java JSSE security provider.

  4. Identity Server returns the authentication artifact to Access Gateway.

  5. Access Gateway ESP retrieves the user’s credentials from Identity Server.

  6. Access Gateway verifies that the credentials allow the user access to the resource, then sends the request to the web server.

  7. The web server returns the requested web page.