This procedure assumes you have already configured trust with an identity provider and you want to change these settings as a follow on procedure. You can make these same settings during trust configuration.
For more information, see Trusting an Identity Provider .
This procedure also assume that the public-key certificates you use to encrypt and check digital signatures have been configured. Although you can change the configuration public-key certificate with this procedure, we recommend that you perform an update of the trusted provider instead.
For more information, see Updating the Configuration of a Trusted Provider .
Depending on how you have configured the trust between your SAML service provider and its trusted identity provider, the SAML messages exchanged can include authentication-relevant or personal information. Information of this kind includes user ID, name, last name, address, and telephone number. Exposing such information may expose your network to risk from eavesdroppers or violate local compliance regulations.
The SAML standard provides signature and encryption configurations to protect SAML bindings:
Digital signatures validate the identity of the provider.
You configure what messages the service provider signs and what messages must be signed by the identity provider. The service provider rejects unsigned messages that require signatures.
The service provider supports the following digest algorithms for signing the outgoing SAML 2.0 messages:
Encryption makes sensitive information unreadable without decoding.
You configure what information the service provider encodes and what information must be encoded by the identity provider. The service provider rejects messages with unencrypted information, where encrypted information is required.
If your network configuration allows it, you can also use back-channel communication to protect the client from sensitive information. Even back-channel communication can require protection, if the communication directly between service provider and identity provider is not secure.
For more information, see Configuring Back-Channel Communication .