Configure SAML Keys

To enable the Onegini IDP to sign SAML messages and also expose a public certificate within it's metadata so that other parties, either Identity Providers (IdPs) or Service Providers (SPs), can use it for encryption purposes the Onegini IDP must be provided with keys. This guide will walk you though the process of creating and configuring an RSA key pair which will be used in the SAML flows.

What is required?

To successfully complete this topic guide you need to ensure following prerequisites:

  • access to openssl terminal tool
  • access to the Onegini IDP instance configuration (done via extension)
  • for the sake of this guide we assume the Onegini IDP is available under http://idp-core.dev.onegini.me address

Generating RSA key pair

The Onegini IDP has some prerequisites when it comes the format and length of the key format:

  • the key pair MUST be of RSA family
  • the private key MUST be in PKCS1 format (when in PEM format it's armour must start with -----BEGIN RSA PRIVATE KEY-----
  • the key MUST be at least 2048bit long

For the sake of this guide we will generate the key pair using openssl tool.

Generate the key pair:

$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 999999

Convert the private key to PKCS1 format:

$ openssl rsa -in key.pem -out key-pkcs1.pem

The above operation should be performed twice, once to generate signing and once encryption keys.

Configure keys in the Onegini IDP

Once you have finished preparing the keys you should be able to configure them in the Onegini IDP. There are four configuration properties that should be defined to set the signing and encryption keys for SAML.

Please note that the keys should be provided without armours (ex. -----BEGIN RSA PRIVATE KEY-----, -----END RSA PRIVATE KEY-----, -----BEGIN CERTIFICATE-----, -----END CERTIFICATE-----) and line breaks.

Signing keys

To enable the Onegini IDP to sign SAML messages you need to configure below two properties:

  • IDP_SAML_SIGNING_PRIVATEKEY - unarmoured content of key-pkcs1.pem file
  • IDP_SAML_SIGNING_CERTIFICATE - unarmoured content of cert.pem file

Encryption keys

To enable the external IdPs and SPs to encrypt SAML messages that are sent to the Onegini IDP you need to configure below two properties:

  • IDP_SAML_ENCRYPTION_PRIVATEKEY - unarmoured content of key-pkcs1.pem file
  • IDP_SAML_ENCRYPTION_CERTIFICATE - unarmoured content of cert.pem file

Testing

Once properties are configured you need to start/restart the Onegini IDP application. Once it's up please check the SAML metadata advertised by the Onegini IDP under https://idp-core.dev.onegini.me/saml/metadata location and search for md:KeyDescriptor nodes. You should be able to find public keys for both signing and encryption.