The communication security settings control the direct communication between Identity Server and a trusted provider across the SOAP back channel. You can secure this channel with one of three methods:
Message Signing: This is the default method, and Identity Server comes with a test signing certificate that is used to sign the back-channel messages. We recommend replacing this test signing certificate with a certificate from a well-known certificate authority. This method is secure, but it is CPU intensive. For information about replacing the default certificate, see Managing the Keys, Certificates, and Trust Stores.
Mutual SSL: This method is probably the fastest method, and if you are fine-tuning your system for performance, you must select this method. However, it requires the exchange of trusted root certificates between Identity Server and the trusted provider. This exchange of certificates is a requirement for setting up the trust relationship between the two providers. To verify that you have exchanged certificates, see Managing the Keys, Certificates, and Trust Stores.
Basic Authentication: This method is as fast as mutual SSL and the least expensive because it does not’ require any certificates. However, it does require the exchange of usernames and passwords with the administrator of the trusted provider, which might or might not compromise the security of the trusted relationship.
If your trusted provider is another Identity Server, you can use any of these methods, as long as your Identity Server and the trusted Identity Server use the same method. If you are setting up a trusted relationship with a third-party provider, you need to select a method supported by that provider.
For configuration information, see the following sections: