ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Assertions are Signed Despite no Signing Alias Specified


Article ID: 129654


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


Customer is testing a new Legacy Federation configuration in which they are the IDP.  The SP is not ready to process signed assertions, so no Signing Alias is specified in the Service Provider object, yet assertions are being signed with one of the certificates that is used for a different configuration.


The Admin UI should not allow the Service Provider object to be saved if Signature Processing is enabled (default) and no Signing Alias is specified.  This is because there is no option to not sign the assertion short of disabling Signature Processing (there is a Disable Signature Processing checkbox on the Signing and Encryption property sheet).


Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP


The only way to not sign assertions is to select the 'Disable Signature Processing' checkbox.  Whenever this box is not selected, a Signing Alias should always be specified, else the alias used to sign assertions may not be predictable.