Novell Documentation: SAML Extension for Novell iChain - Generating SAML Digital Signatures

Generating SAML Digital Signatures

The SAML specification allows the inclusion of XML digital signatures on generated SAML Responses and SAML assertions. The SAML browser/POST (where SAML assertions travel through the user's browser between sites) requires that SAML data contain an XML signature. The SAML browser/Artifact (where SAML assertions are sent directly server to server via the SAML SOAP back-channel) do not necessarily need to be signed.

Security settings relating to digital signatures are made on a per-Trusted Affiliate basis. This means that for each separate Trusted Affiliate relationship you can decide:

If digital signatures are generated on outbound SAML assertions intended for the Trusted Affiliate
If digital signatures are required on incoming SAML assertions issued by the Trusted Affiliate
What public key certificates to use to validate digitally signed incoming data from the Trusted Affiliate

These settings determine the level of security that is required for the relationship, and they must be negotiated between your site and each Trusted Affiliate site. The settings that control this are found on the Assertions page for the samlTrustedAffiliate configuration objects in the directory.

Use the following rules to configure the SAML system to generate digital signatures:

A signing key pair (SKP) must be generated using Novell^® Certificate Server^TM or another PKI management tool.
The SKP can exist in eDirectory^TM, in which case you can use the Novell Certificate Server utilities to manage it.
If the SKP exists in eDirectory, you can point to it in the samlSiteConfig object.
The SKP is made available in PKCS#12 or Java Key Store format and stored on the SAML extension server's local disk.
Novell Certificate Server exports the key pair in PKCS#12 format.
The Appropriate settings must be made on the Trusted Affiliate object whose SAML data you want to sign.
The public key certificate associated with the SKP must be exported and sent to the Trusted Affiliate that will be validating the signatures you generate.
Be sure that the public key certificate is exported, not the "parent" Trusted Root. You must have the key that directly corresponds to the signing key; this is the public key certificate.