Assertions are Signed Despite no Signing Alias Specified
Article ID: 129654
CA Single Sign On Secure Proxy Server (SiteMinder)CA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
Customer is testing a new Legacy Federation configuration in which they are the IDP. The SP is not ready to process signed assertions, so no Signing Alias is specified in the Service Provider object, yet assertions are being signed with one of the certificates that is used for a different configuration.
Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP Component:
The Admin UI should not allow the Service Provider object to be saved if Signature Processing is enabled (default) and no Signing Alias is specified. This is because there is no option to not sign the assertion short of disabling Signature Processing (there is a Disable Signature Processing checkbox on the Signing and Encryption property sheet).
The only way to not sign assertions is to select the 'Disable Signature Processing' checkbox. Whenever this box is not selected, a Signing Alias should always be specified, else the alias used to sign assertions may not be predictable.