In conformance with the SAML 2.0 specification, the Identity Server does not require the signing post messages. However, if you want this extra layer of security, you can configure the Identity Server to sign SAML 2.0 post messages. This is a global option, and when enabled, all SAML 2.0 service providers sign post messages.
To enable the signing of post messages:
Open the web.xml file.
Linux: /opt/novell/nam/idp/webapps/nidp/WEB-INF/
Windows Server 2012: \Program Files\Novell\Tomcat\webapps\nidp\WEB-INF/
Add the following lines to the file:
<context-param>
<param-name>SignPost</param-name>
<param-value>true</param-value>
</context-param>Save the file and copy it to each Identity Server in the cluster.
Restart Tomcat on each Identity Server in the cluster.
Linux: Enter one of the following commands:
/etc/init.d/novell-idp restart
rcnovell-idp restart
Windows: Enter the following commands:
net stop Tomcat7
net start Tomcat7
You can configure the Identity Server to sign SAML 2.0 post messages for one or multiple trust providers.
To enable the signing of post messages for specific trust providers:
Enable the following properties in the Administration Console. For information about how to set properties in the Administration Console, see Configuring Identity Server Global Options and Defining Options for SAML 2.0.
IS SAML2 POST SIGN RESPONSE: Specify true to enable the identity provider to send signed SAML 2.0 post responses to all its trusted providers.
NOTE:Configuring IS SAML2 POST SIGN RESPONSE is same as configuring the SignPost in web.xml. However, configuring it through the Administration Console is recommended because it provides more options. You can combine these options with IS SAML2 POST SIGN RESPONSE to avoid Access Manager restarts.
SAML2 POST SIGN RESPONSE TRUSTEDPROVIDERS: Specify one or more trusted provider's entityID. Set the value as true to verify the signed SAML 2.0 post responses.
You can enable the SAML2 AVOID SIGN AND VALIDATE ASSERTION TRUSTEDPROVIDERS option on both identity provider and service provider.
If this flag is set on the identity provider, then the complete POST message (excluding the assertion) is signed.
If this option is set on the service provider, then the signature of the POST message is verified but the assertion signature is not verified. If this option is not set on the service provider and an identity provider sends an assertion where only the assertion is signed, the service provider cannot validate it.
To avoid the assertion signing or validation, perform the following procedure at identity provider/service provider.
In the Administration Console, click Identity Server > Edit > SAML 2.0 > Service Provider or Identity Provider > Options > New.
Select SAML2 AVOID SIGN AND VALIDATE ASSERTION TRUSTEDPROVIDERS and specify the value in this format: entityID of the identity provider, entityID2 of the service provider.
NOTE:The entityID of the identity provider and the service provider are comma-separated values.
For example, to enable this flag on the identity provider use the following format: https://www.idp.com:8443/nidp/saml/metadata
For example, to enable this flag on the service provider use the following format: https://www.sp.com:8443/nidp/saml/metadata
Save the configuration.
Restart the Identity Server. For restarting, see Step 4.
When this flag is set in the service provider, the SAML 2.0 POST response is signed and assertion is not signed. The service provider will accept the response instead of returning an error.