Configuring Communication Security for a SAML 2.0 Identity Provider

The security settings control the direct communication between Identity Server and an identity provider across the SOAP back-channel.

  1. Click Devices > Identity Servers > Edit > SAML 2.0 > [identity provider] > Trust.

  2. Specify a name for this trusted provider. The default name is the name you entered when creating the trusted provider.

  3. Specify the following details in the Security section.

    In this section, you can specify how to validate messages received from trusted providers over the SOAP back-channel. You must configure the identity provider and the service provider in the trusted relationship to use the same security method.

    Field

    Description

    Encrypt name identifier

    Specifies whether you want the name identifiers encrypted on the wire.

    Message Signing

    Relies upon message signing by using a digital signature.

    Mutual SSL

    Specifies that this trusted provider provides a digital certificate (mutual SSL) when it sends a SOAP message.

    SSL communication requires only the client to trust the server. For mutual SSL, the server must also trust the client. For the client to trust the server, the server’s certificate authority (CA) certificate must be imported into the client trust store. For the server to trust the client, the client’s CA certificate must be imported into the server trust store.

    Basic Authentication

    Specifies standard header-based authentication. This method assumes that a name and password for authentication are sent and received over the SOAP back-channel.

    • Send: Name and password to be sent for authentication to a trusted partner. The partner expects this password for all SOAP back-channel requests, which means that the name and password must be agreed upon.

    • Verify: Name and password to verify the data that a trusted provider sends.

    • Certificate Revocation Check Periodicity: Specifies if the certificate is valid. Define periodicity to validate on start up, on assertion level, or set frequency to hourly/daily.

  4. Click OK > OK.

  5. Update Identity Server.