IBM Tivoli Federated Identity Manager, Version 6.2.2

Using the command-line interface to configure Tivoli Federated Identity Manager SHA256 support

Learn how to configure the required parameters from the response file to support SHA256 in Tivoli® Federated Identity Manager.

Procedure

  1. Click Integrated Solutions Console > Tivoli Federated Identity Manager to do the following tasks:
    1. Create SAML 2.0 identity provider and service provider federations. See Creating your role in the federation.

    2. Export metadata file.

    3. Add partners. Ensure that you select a signing key and a signature algorithm. See Table 1 for more information on the SHA256 attributes.

      Table 1. SAML 2.0 SHA256 Parameter Configuration Matrix
      SAML 2.0 SHA256 Attributes Values Applicable to? Remarks 
      SigningKeyIdentifier
      		 Yes IP and SP

      Signs outgoing SAML messages and SAML assertion.

      If the AssertionSigningKeyIdentifier is specified, the AssertionSigningKeyIdentifier signs the SAML assertion instead.

      The attribute is configurable in the management console and federation response file.

      		 
      AssertionSigningKeyIdentifier

      For example:

      DefaultKeyStore_ dsatestkey

      		 IP only Signs outgoing SAML assertion.

      The attribute is configurable only in federation response file.

      		 
      SignatureAlgorithm
      		 http://www.w3.org/2000/09/xmldsig#dsa-sha1

      http://www.w3.org/2000/09/xmldsig#rsa-sha1

      http://www.w3.org/2001/04/xmldsig-more#rsa-sha256      		 IP and SP

      Signs outgoing SAML messages and SAML assertion.

      If the AssertionSignatureAlgorithm is specified, the AssertionSignatureAlgorithm signs the SAML assertion.

      The SignatureAlgorithm value must match the key type specified for the SigningKeyIdentifier.

      If the AssertionSigningKeyIdentifier is specified and the AssertionSignatureAlgorithm is not specified, the SignatureAlgorithm value must match the key type specified for the AssertionSigningKeyIdentifier.

      The attribute is configurable in the management console and partner response file.

      		 
      DigestAlgorithm
      		 http://www.w3.org/2000/09/xmldsig#sha1

      http://www.w3.org/2001/04/xmlenc#sha256

      http://www.w3.org/2001/04/xmlenc#sha512      		 IP and SP
      Generates SAML messages and SAML assertion digest values. If the AssertionDigestAlgorithm is specified, the AssertionDigestAlgorithm hashes the SAML assertion digest. If not specified, the DigestAlgorithm becomes:
      • SHA1, when the SignatureAlgorithm is DSA-SHA1 or RSA-SHA1

      • SHA256, when the SignatureAlgorithm is RSA-SHA256.

      The attribute is configurable only in partner response file.

      		 
      AssertionSignatureAlgorithm
      		 http://www.w3.org/2000/09/xmldsig#dsa-sha1

      http://www.w3.org/2000/09/xmldsig#rsa-sha1

      http://www.w3.org/2001/04/xmldsig-more#rsa-sha256      		 IP only

      Signs outgoing SAML assertion.

      The value must match the AssertionSigningKeyIdentifier key type.

      The SignatureAlgorithm signs the SAML assertion if the AssertionSignatureAlgorithm is not specified.

      The attribute is configurable only in partner response file.

      		 
      AssertionDigestAlgorithm
      		 http://www.w3.org/2000/09/xmldsig#dsa-sha1

      http://www.w3.org/2000/09/xmldsig#rsa-sha1

      http://www.w3.org/2001/04/xmldsig-more#rsa-sha256      		 IP only

      Signs outgoing SAML assertion. The value must match the AssertionSigningKeyIdentifier key type. The SignatureAlgorithm signs the SAML assertion if the AssertionSignatureAlgorithm is not specified.

      The attribute is configurable only in partner response file.

      		 
      AssertionValidateKeyIdentifier

      For example:

      DefaultTrustedKeyStore_IP-validationkey

      		 SP only

      The key service provider uses to validate SAML Assertion from the identity provider.

      The AssertionValidateKeyIdentifier must be identical to the public key of the identity provider when signing a SAML assertion.

      The attribute is configurable only in partner response file.
  2. From the command-line interface, generate the response files of the identity provider and the service provider federation and the partners that you have added. Use the following commands:
    Identity provider federation response file:
    wsadmin>$AdminTask manageItfimFederation 
{-operation createResponseFile -fimDomainName <fimdomain> 
-federationName <IP_fedname> -fileId output_file}
    Service provider federation response file:
    wsadmin>$AdminTask manageItfimFederation 
{-operation createResponseFile -fimDomainName <fimdomain> 
-federationName <SP_fedname> -fileId output_file}
    Identity provider partner response file:
    wsadmin>$AdminTask manageItfimPartner 
{-operation createResponseFile -fimDomainName <fimdomain> 
-federationName <IP_fedname> -partnerName <Partner_name> 
-fileId output_file}
    Service provider partner response file:
    wsadmin>$AdminTask manageItfimPartner 
{-operation createResponseFile -fimDomainName <fimdomain> 
-federationName <SP_fedname> -partnerName <Partner_name>
-fileId output_file}
  3. Edit the SAML 2.0 SHA256 attributes in the identity provider, service provider federation, and partner response files according to the available data in Table 2.
    Table 2. Identity Provider and Service Provider SHA256 Federation and Partner Response File Parameters
    SAML 2.0 SHA256 Parameter Identity Provider Service Provider
    Federation
    SigningKeyIdentifier 
    <void method="put">
 <string>SigningKeyIdentifier
 </string>
  <object class="java.util.ArrayList"> 
   <void method="add"> 
    <string>DefaultKeyStore_<dsakey>
    </string> 
   </void> 
  </object> 
</void>

    		 
    <void method="put">
 <string>SigningKeyIdentifier
 </string>
  <object class="java.util.ArrayList">
   <void method="add"> 
    <string>DefaultKeyStore_<rsakey>
    </string> 
   </void> 
  </object> 
</void>
    AssertionSigningKeyIdentifier 
    <void method="put">  
 <string>AssertionSigningKeyIdentifier
 </string>
  <object class="java.util.ArrayList"> 
   <void method="add"> 
    <string>DefaultKeyStore_<rsakey>
    </string> 
   </void> 
  </object> 
</void>
    		 N/A
    Partner
    AssertionValidateKeyIdentifier N/A 
    <void method="put"> 
 <string>AssertionValidateKeyIdentifier
 </string> 
  <object class="java.util.ArrayList"> 
   <void method="add"> 
    <string>DefaultTrustedKeyStore_
     <IP_publickey>
    </string> 
   </void> 
  </object> 
</void>
    SignatureAlgorithm 
    <void method="put"> 
 <string>SignatureAlgorithm
 </string> 
 <object class="java.util.ArrayList"> 
   <void method="add"> 
    <string>http://www.w3. org/2000/09/
     xmldsig#dsa-sha1
    </string> 
   </void> 
  </object> 
</void>
    		 
    <void method="put"> 
 <string>SignatureAlgorithm
 </string> 
  <object class="java.util.ArrayList"> 
   <void method="add"> 
    <string>http://www.w3.org/2001/04/
     xmldsig-more#rsa-sha256
    </string> 
   </void> 
  </object> 
</void>
    DigestAlgorithm 
    <void method="put"> 
 <string>DigestAlgorithm
 </string> 
  <object class="java.util.ArrayList"> 
   <void method="add"> 
    <string>http://www.w3. org/2000/09/
     xmldsig#sha1
    </string> 
   </void> 
  </object> 
</void>
    		 
    <void method="put"> 
 <string>DigestAlgorithm
 </string> 
  <object class="java.util.ArrayList"> 
   <void method="add"> 
    <string>http://www.w3.org/2001/04/
     xmlenc#sha512
    </string> 
   </void> 
  </object> 
</void>
    AssertionSignatureAlgorithm 
    <void method="put"> 
 <string>AssertionSignatureAlgorithm
 </string>
  <object class="java.util.ArrayList">
   <void method="add">
    <string>http://www.w3. org/2001/04/
     xmldsig-more#rsa-sha256
    </string>
   </void>
  </object>
</void>
    		 
    <void method="put">
 <string>AssertionSignatureAlgorithm
 </string>
  <object class="java.util.ArrayList"/>
</void>
    AssertionDigestAlgorithm 
    <void method="put">
 <string>AssertionDigestAlgorithm
 </string> 
  <object class="java.util.ArrayList">
   <void method="add"> 
    <string>http://www.w3.org/2001/04/
     xmlenc#sha512
    </string>
   </void>
  </object>
</void>

    		 
    <void method="put">
 <string>AssertionDigestAlgorithm
 </string>
  <object class="java.util.ArraList"/>
</void>
  4. Update the properties of the identity provider and the service provider federations using the modified federation response file.
    For the identity provider:
    wsadmin>$AdminTask manageItfimFederation 
{-operation modify -fimDomainName <fimdomain> 
-federationName <IP_fedname> 
-fileId <Path_to_IP_federation_response_file>}
    For the service provider:
    wsadmin>$AdminTask manageItfimFederation 
{-operation modify -fimDomainName <fimdomain> 
-federationName <SP_fedname> 
-fileId <Path_to_SP_federation_response_file>}
  5. Update the properties of the identity provider and the service provider partner using the modified partner response file.
    For the identity provider:
    wsadmin>$AdminTask manageItfimPartner 
{-operation modify -fimDomainName <fimdomain> 
-federationName <IP_fedname> 
-partnerName <IP_partner_name> 
-fileId <Path_to_IP_partner_response_file>}
    For the service provider:
    wsadmin>$AdminTask manageItfimPartner 
{-operation modify -fimDomainName <fimdomain> 
-federationName <SP_fedname> 
-partnerName <SP_partner_name> 
-fileId <Path_to_SP_partner_response_file>}
  6. Enable the identity provider and the service provider partners.
    For the identity provider:
    wsadmin>$AdminTask manageItfimPartner 
{-operation enable -fimDomainName <fimdomain> 
-federationName <IP_fedname> 
-partnerName <IP_partner_name>}
    For the service provider:
    wsadmin>$AdminTask manageItfimPartner 
{-operation enable -fimDomainName <fimdomain> 
-federationName <SP_fedname> 
-partnerName <SP_partner_name>}
  7. Perform single sign-on, or single log-off.
Parent topic: Configuring

Feedback