Learn how to configure the required parameters from the response file to support SHA256 in Tivoli® Federated Identity Manager.
Export metadata file.
Add partners. Ensure that you select a signing key and a signature algorithm. See Table 1 for more information on the SHA256 attributes.
SAML 2.0 SHA256 Attributes | Values | Applicable to? | Remarks |
---|---|---|---|
|
Yes | IP and SP | Signs outgoing SAML messages and SAML assertion. If the AssertionSigningKeyIdentifier is specified, the AssertionSigningKeyIdentifier signs the SAML assertion instead. The attribute is configurable in the management console and federation response file. |
|
For example: DefaultKeyStore_ dsatestkey |
IP only | Signs outgoing SAML assertion. The attribute is configurable only in federation response file. |
|
http://www.w3.org/2000/09/xmldsig#dsa-sha1 http://www.w3.org/2000/09/xmldsig#rsa-sha1 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | IP and SP | Signs outgoing SAML messages and SAML assertion. If the AssertionSignatureAlgorithm is specified, the AssertionSignatureAlgorithm signs the SAML assertion. The SignatureAlgorithm value must match the key type specified for the SigningKeyIdentifier. If the AssertionSigningKeyIdentifier is specified and the AssertionSignatureAlgorithm is not specified, the SignatureAlgorithm value must match the key type specified for the AssertionSigningKeyIdentifier. The attribute is configurable in the management console and partner response file. |
|
http://www.w3.org/2000/09/xmldsig#sha1 http://www.w3.org/2001/04/xmlenc#sha256 http://www.w3.org/2001/04/xmlenc#sha512 | IP and SP | Generates SAML messages and SAML assertion
digest values. If the AssertionDigestAlgorithm is
specified, the AssertionDigestAlgorithm hashes the
SAML assertion digest. If not specified, the DigestAlgorithm becomes:
The attribute is configurable only in partner response file. |
|
http://www.w3.org/2000/09/xmldsig#dsa-sha1 http://www.w3.org/2000/09/xmldsig#rsa-sha1 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | IP only | Signs outgoing SAML assertion. The value must match the AssertionSigningKeyIdentifier key type. The SignatureAlgorithm signs the SAML assertion if the AssertionSignatureAlgorithm is not specified. The attribute is configurable only in partner response file. |
|
http://www.w3.org/2000/09/xmldsig#dsa-sha1 http://www.w3.org/2000/09/xmldsig#rsa-sha1 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | IP only | Signs outgoing SAML assertion. The value must match the AssertionSigningKeyIdentifier key type. The SignatureAlgorithm signs the SAML assertion if the AssertionSignatureAlgorithm is not specified. The attribute is configurable only in partner response file. |
|
For example: DefaultTrustedKeyStore_IP-validationkey |
SP only | The key service provider uses to validate SAML Assertion from the identity provider. The AssertionValidateKeyIdentifier must be identical to the public key of the identity provider when signing a SAML assertion. The attribute is configurable only in partner response file. |
wsadmin>$AdminTask manageItfimFederation
{-operation createResponseFile -fimDomainName <fimdomain>
-federationName <IP_fedname> -fileId output_file}
wsadmin>$AdminTask manageItfimFederation
{-operation createResponseFile -fimDomainName <fimdomain>
-federationName <SP_fedname> -fileId output_file}
wsadmin>$AdminTask manageItfimPartner
{-operation createResponseFile -fimDomainName <fimdomain>
-federationName <IP_fedname> -partnerName <Partner_name>
-fileId output_file}
wsadmin>$AdminTask manageItfimPartner
{-operation createResponseFile -fimDomainName <fimdomain>
-federationName <SP_fedname> -partnerName <Partner_name>
-fileId output_file}
SAML 2.0 SHA256 Parameter | Identity Provider | Service Provider |
---|---|---|
Federation | ||
SigningKeyIdentifier |
|
|
AssertionSigningKeyIdentifier |
|
N/A |
Partner | ||
AssertionValidateKeyIdentifier | N/A |
|
SignatureAlgorithm |
|
|
DigestAlgorithm |
|
|
AssertionSignatureAlgorithm |
|
|
AssertionDigestAlgorithm |
|
|
wsadmin>$AdminTask manageItfimFederation
{-operation modify -fimDomainName <fimdomain>
-federationName <IP_fedname>
-fileId <Path_to_IP_federation_response_file>}
wsadmin>$AdminTask manageItfimFederation
{-operation modify -fimDomainName <fimdomain>
-federationName <SP_fedname>
-fileId <Path_to_SP_federation_response_file>}
wsadmin>$AdminTask manageItfimPartner
{-operation modify -fimDomainName <fimdomain>
-federationName <IP_fedname>
-partnerName <IP_partner_name>
-fileId <Path_to_IP_partner_response_file>}
wsadmin>$AdminTask manageItfimPartner
{-operation modify -fimDomainName <fimdomain>
-federationName <SP_fedname>
-partnerName <SP_partner_name>
-fileId <Path_to_SP_partner_response_file>}
wsadmin>$AdminTask manageItfimPartner
{-operation enable -fimDomainName <fimdomain>
-federationName <IP_fedname>
-partnerName <IP_partner_name>}
wsadmin>$AdminTask manageItfimPartner
{-operation enable -fimDomainName <fimdomain>
-federationName <SP_fedname>
-partnerName <SP_partner_name>}