Message encryption
SAML supports the encryption and signing of messages between the IdP and SP.
- Public X.509 certificate
-
It is recommended that all the assertions from the IdP be signed.
This allows the portal to verify that the assertion really originated at the trusted IdP. For verification, the portal validates the assertion's signature against the trusted IdP's public X.509 certificate. For more information about the configuration of the IdP's public certificate, see Identity Provider parameters.
- Encryption algorithm
-
Supplier Portal signs outgoing messages to the IdP with the SHA1 hashing algorithm. The portal supports incoming messages from the IdP, signed with the SHA1 or SHA256 hashing algorithm.
Supplier Portal can decrypt assertions from the IdP, encrypted with the AES-128, AES-256, or Triple DES encryption algorithm.
- Service Provider private key and X.509 certificate
-
Optionally, for the portal, a public X.509 certificate and private key can be configured.
The portal, as the SP, can then use this certificate/key pair to sign outgoing requests to the IdP, as well as to decrypt assertions from the IdP (if the IdP supports decryption). For more information about the configuration of a private key, see Service Provider parameters. The certificate/key pair stored in the portal can be reset, if required.
To allow customers to determine the strength of the encryption key themselves, the portal does not provide a certificate/key pair. If you want to utilize this option, you need to provide your own certificate/key pair.