Configure SAML Keys
To enable the Onegini IdP to sign SAML messages and also expose a public certificate within it's metadata so that other parties, either Identity Providers (IdPs) or Service Providers (SPs), can use it for encryption purposes the Onegini IdP must be provided with keys. This guide will walk you though the process of creating and configuring an RSA key pair which will be used in the SAML flows.
What is required?
To successfully complete this topic guide you need to ensure following prerequisites:
- access to
- access to the Onegini IdP instance configuration (done via extension)
- for the sake of this guide we assume the Onegini IdP is available under http://idp-core.dev.onegini.me address
Generating RSA key pair
The Onegini IdP has some prerequisites when it comes the format and length of the key format:
- the key pair MUST be of RSA family
- the private key MUST be in PKCS1 format (when in PEM format it's armour must start with
-----BEGIN RSA PRIVATE KEY-----
- the key MUST be at least 2048bit long
For the sake of this guide we will generate the key pair using
Generate the key pair:
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 999999
Convert the private key to PKCS1 format:
$ openssl rsa -in key.pem -out key-pkcs1.pem
The above operation should be performed twice, once to generate signing and once encryption keys.
Configure keys in the Onegini IdP
Once you have finished preparing the keys you should be able to configure them in the Onegini IdP. There are four configuration properties that should be defined to set the signing and encryption keys for SAML.
Please note that the keys should be provided without armours (ex.
-----BEGIN RSA PRIVATE KEY-----,
-----END RSA PRIVATE KEY-----,
-----END CERTIFICATE-----) and line breaks.
To enable the Onegini IdP to sign SAML messages you need to configure below two properties:
- IDP_SAML_SIGNING_PRIVATEKEY - unarmoured content of
- IDP_SAML_SIGNING_CERTIFICATE - unarmoured content of
To enable the external IdPs and SPs to encrypt SAML messages that are sent to the Onegini IdP you need to configure below two properties:
- IDP_SAML_ENCRYPTION_PRIVATEKEY - unarmoured content of
- IDP_SAML_ENCRYPTION_CERTIFICATE - unarmoured content of
Once properties are configured you need to start/restart the Onegini IdP application. Once it's up please check the SAML metadata advertised by the Onegini IdP
under https://idp-core.dev.onegini.me/saml/metadata location and search for
md:KeyDescriptor nodes. You should be able to find public keys for both