test

Sun Java System Access Manager 7.1 Federation and SAML Administration Guide

Signing Liberty ID-FF Requests and Responses

Federation-based communications passing between identity providers and service providers are generally required to be digitally signed and verified. Signing and verifying messages provides data integrity, data origin authentication, and a basis for non-repudiation. To turn on signing for all Liberty ID-FF requests and responses emanating from your instance of Access Manager, set the value of the com.sun.identity.federation.services.signingOn property in AMConfig.properties to true and restart Access Manager and its web container. This allows for signing of Liberty ID-FF requests being sent and verification of signature validity for Liberty ID-FF responses received. If set to false, signing is disabled. If set to optional, requests and responses will be signed or verified only if required by the federation profile being used. After installation, AMConfig.properties is located in the etc/opt/SUNWam/config directory.

Note –

More information on com.sun.identity.federation.services.signingOn and the other identity federation properties in AMConfig.properties can be found in the Chapter 6, amConfig.properties Reference, in Sun Java System Access Manager 7.1 Administration Reference.

Additionally, you can enable the signing of an authentication request from a service provider configured on your instance of Access Manager, use the following procedure.

ProcedureTo Enable Signing of Service Provider Authentication Requests

Before You Begin

A keystore must be set up before turning on the signing properties. See Appendix B, Key Management information on how to do this.

  1. Log in to the Access Manager console as the top-level administrator, by default, amadmin.

  2. Select the Federation tab.

  3. Select the Entities tab.

  4. Select the name of the entity that contains the service provider configuration for which you want to enable the signing of an authentication request.

  5. Select Service Provider from the View pull-down menu.

  6. Enable the Sign Authentication Request property under the Service Provider configuration and click Save.

  7. Log out of the Access Manager console.