Tuesday, October 4, 2011

ADFS 2.0 / PingFederate Encryption

AD FS 2.0 Encryption Strength

In AD FS 2.0, encryption of outbound assertions is turned on by default. Assertion encryption occurs for any relying party/service provider for which AS FS 2.0 possesses an encryption certificate.

When it performs encryption, AD FS 2.0 uses 256-bit Advanced Encryption Standard (AES) keys, or AES-256. In contrast, by default PingFederate supports a weaker algorithm (AES-128). Failing to reconcile these conflicting defaults can result in failed SSO attempts.Alternatives for addressing this issue include the following:

• Disabling encryption in AD FS 2.0. To disable encryption, on the AD FS 2.0 computer, click Start, click Administrative Tools, and then click Windows PowerShell Modules. Then, at the Windows PowerShell command prompt, type the following:



set-ADFSRelyingPartyTrust –TargetName “Ping Example” –EncryptClaims $False

• Upgrade PingFederate’s encryption capability. Because of import control restrictions, the standard Java Runtime Environment (JRE) distribution supports strong but not unlimited encryption. For this reason, the strongest cipher suites are commented out of the two configuration files com.pingidentity.crypto.SunJCEManager.xml and com.pingidentity.crypto.LunaJCEManager.xml, which are located in the folder /server/default/data/config-store. To use the strongest encryption, remove the comments from the AES 256 cipher suites, and then download and install the appropriate version of Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from the Java SE Downloads (http://go.microsoft.com/fwlink/?LinkId=206383).

No comments:

Post a Comment