Assertions are Signed Despite no Signing Alias Specified

book

Article ID: 129654

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Customer is testing a new Legacy Federation configuration in which they are the IDP.  The SP is not ready to process signed assertions, so no Signing Alias is specified in the Service Provider object, yet assertions are being signed with one of the certificates that is used for a different configuration.

Cause

The Admin UI should not allow the Service Provider object to be saved if Signature Processing is enabled (default) and no Signing Alias is specified.  This is because there is no option to not sign the assertion short of disabling Signature Processing (there is a Disable Signature Processing checkbox on the Signing and Encryption property sheet).

Environment

Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:

Resolution

The only way to not sign assertions is to select the 'Disable Signature Processing' checkbox.  Whenever this box is not selected, a Signing Alias should always be specified, else the alias used to sign assertions may not be predictable.