.NET Fedlet Signing of Requests and Responses (CR 6928530) (Oracle OpenSSO 8.0 Update 2 Release Notes)

Oracle OpenSSO 8.0 Update 2 Release Notes

.NET Fedlet Signing of Requests and Responses (CR 6928530)

The .NET Fedlet supports the signing of outgoing XML requests such as Authn requests and logout requests.

To Configure the .NET Fedlet for Signing of Requests and Responses:

Import your X.509 certificate to the Personal folder within the Local Computer account using the Certificates Snap-in for the Microsoft Management Console. To use this snap-in, see the following Microsoft article:

http://msdn.microsoft.com/en-us/library/ms788967.aspx

Specify a friendly name for this certificate by viewing the Properties dialog and entering a value. (Save this value for Step 4.)

Set the appropriate permissions to allow read access to the certificate for the user account used by Internet Information Server (IIS) as described at the Microsoft article. For example:
1. In the Certificates Snap-in, navigate to Action, All Tasks, and then Manage Private Keys.
2. Specify Allow Read permissions for the user account running IIS (usually NETWORK SERVICE).

In the .NET Fedlet's extended metadata file (sp-extended.xml), specify the friendly name specified in Step 2 as the value for the signingCertAlias attribute. For example:
```
<Attribute name="signingCertAlias">
<Value>MyFedlet</Value>
```

In the .NET Fedlet's service provider metadata file (sp.xml), add the KeyDescriptor for the signing key.

Use the Certificates Snap-in for the Microsoft Management Console used earlier to export the public key of your certificate in Base64 encoding to be included in the KeyDescriptor XML block. This KeyDescriptor must be the first child element within the SPSSODescriptor. For example:

<KeyDescriptor use="signing">
             <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                   <ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
                   </ds:X509Certificate>
                </ds:X509Data>
             </ds:KeyInfo>
</KeyDescriptor>

Restart the Application Pool associated with your .NET application.