Identity Server uses the key pairs (NAM-RP-Certificate) associated with the NAM-RP Reverse Proxy Service (Access Manager > Devices > Access Gateway > [AG-Cluster] > NAM-RP) for secure communication. In a production environment, you should exchange the NAM-RP-Certificate that is created at the installation time with certificate from a trusted certificate authority.
Identity Server uses the key pair for following scenarios:
To establish SSL communication between Identity Server and the browsers and between Identity Server and Access Gateway for back-channel communications.
To sign authentication requests, to sign communication with providers on the SOAP back channel, and to sign Web Service Provider profiles.
To encrypt specific fields or data in the assertions. For more information about the services that use the certificate for encryption, see Section 10.4.2, Viewing Services That Use the Encryption
To enable secure communication between the user store and Identity Server, you can also import the trusted root certificate of the user store. For configuration information, see Section 5.1.1, Configuring Identity User Stores
This section describes the following tasks:
The following services can be configured to use signing:
The protocols can be configured to sign authentication requests and responses.
To view your current configuration:
Click Devices > Identity Servers > Edit.
In the Identity Provider section, view the setting for the Require Signed Authentication Requests option. If it is selected, all authentication requests from service providers must be signed.
In the Identity Consumer section, view the settings for the Require Signed Assertions and Sign Authentication Requests options. If these options are selected, assertions and authentication requests are signed.
The SOAP back channel is the channel that the protocols use to communicate directly with a provider. The SOAP back channel is used for artifact resolutions and attribute queries for the Identity Web Services Framework.
To view your current configuration for the SOAP back channel:
Click Devices > Identity Servers > Edit.
Select the protocol (Liberty, SAML 1.1, or SAML 2.0), then click the name of an identity provider or service provider.
Click Trust.
View the Security section. If the Message Signing option is selected, signing is enabled for the SOAP back channel.
Any of the Web Service Provider profiles can be enabled for signing by configuring them to use X.509 for their message-level security mechanism.
To view your current configuration:
Click Devices > Identity Servers > Edit > Liberty > Web Service Provider.
Click the name of a profile, then click Descriptions.
Click the Description Name.
If either Peer entity = None, Message=X509 or Peer entity = MutualTLS, Message=X509 has been selected as the security mechanism, signing has been enabled for the profile.
All of the Liberty Web Service Provider Profiles allow you to configure them so that the resource IDs are encrypted. By default, no profile encrypts the IDs.
To view your current configuration:
Click Devices > Identity Servers > Edit > Liberty > Web Service Provider.
Click the name of a profile.
If the Have Discovery Encrypt This Service’s Resource IDs option is selected, the encryption key pair is used to encrypt the resource IDs.