Layer7 Access Management

Expand all | Collapse all

Federation Signature and Encryption

Jump to Best Answer
  • 1.  Federation Signature and Encryption

    Posted 04-18-2016 05:45 PM

    Hi,Can any one shed some light on these, how this signature and encryption works?

    On sp, signature:

    1.Signing Private Key Alias-- it using sp cert

    2.Verification Certificate Alias..this using idp certs



    Encryption Certificate Alias--idp cert

    Decryption Private Key Alias..sp cert


    on IDP, Signature:

    Verification Certificate Alias--idp cert

    Signing Private Key Alias--sp cert



    Encryption Certificate Alias--sp cert

    Decryption Private Key Alias--idp cert



  • 2.  Re: Federation Signature and Encryption
    Best Answer

    Posted 04-26-2016 09:17 AM

    Hi sreev,


    Signature and Encryption are many times confusing indeed,

    because both use certificates and keys and both are related

    to Assertions.


    In a Federation journey, usually we "sign" and "encrypt"

    the Assertion for 2 goals :


      - to guarantee that this XML document hasn't been modified

        when it arrives at the SP side;


      - to guarantee that this XML document is kept readable "only" for

        the SP side;


    The Signature makes the Assertion XML document

    not modifiable by a third party. That's why the one party

    will sign it and the other party will verify the signature,

    to confirm the integrity of the XML document.


    The Encryption makes parts of the Assertion XML Document

    readable only for the SP side. To read it, the SP side needs

    to decrypt it.


    So for a given Assertion XML document, you can sign or

    encrypt it, or do both at the same time.


    The Certificate used for encryption at the IDP side

    should be set in the SP side in order to make the SP

    able to decrypt the Assertion. The same occurs for the

    signature process.


    I hope that helps to understand how signature and encryption



    Best Regards,


  • 3.  Re: Federation Signature and Encryption

    Posted 05-10-2016 04:29 PM

    Still not clear Patrick,

    As I understood


    Signing Private Key Alias..idp cert-->this will sign  and it encrypt using Encryption Certificate Alias--idp cert

    when it receives request it uses Verification Certificate Alias key--sp cert and it decrypt using Decryption Private Key Alias..sp cert


    If I am wrong please put me in right path.