Configure SAML Keys¶
To enable the Onegini IdP to sign SAML messages and also expose a public certificate within it's metadata so that other parties, either Identity Providers (IdPs) or Service Providers (SPs), can use it for encryption purposes the Onegini IdP must be provided with keys. This guide will walk you though the process of creating and configuring an RSA key pair which will be used in the SAML flows.
Prerequisites¶
To successfully complete this topic guide you need to ensure following prerequisites:
- access to
openssl
terminal tool - access to the Onegini IdP instance configuration (done via extension)
- for the sake of this guide we assume the Onegini IdP is available under http://idp-core.dev.onegini.me address
Generating RSA key pair¶
The Onegini IdP has some prerequisites when it comes the format and length of the key format:
- the key pair MUST be of RSA family
- the private key MUST be in PKCS1 format (when in PEM format it's armour must start with
-----BEGIN RSA PRIVATE KEY-----
- the key MUST be at least 2048bit long
For the sake of this guide we will generate the key pair using openssl
tool.
Generate the key pair:
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 999999
Convert the private key to PKCS1 format:
$ openssl rsa -in key.pem -out key-pkcs1.pem
The above operation should be performed twice, once to generate signing and once encryption keys.
Configure keys in the Onegini IdP¶
Once you have finished preparing the keys you should be able to configure them in the Onegini IdP. There are four configuration properties that should be defined to set the signing and encryption keys for SAML.
Please note that the keys should be provided without armours (ex. -----BEGIN RSA PRIVATE KEY-----
, -----END RSA PRIVATE KEY-----
, -----BEGIN CERTIFICATE-----
,
-----END CERTIFICATE-----
) and line breaks.
Signing keys¶
To enable the Onegini IdP to sign SAML messages you need to configure below two properties:
IDP_SAML_SIGNING_PRIVATEKEY
- unarmoured content ofkey-pkcs1.pem
fileIDP_SAML_SIGNING_CERTIFICATE
- unarmoured content ofcert.pem
file
Encryption keys¶
To enable the external IdPs and SPs to encrypt SAML messages that are sent to the Onegini IdP you need to configure below two properties:
IDP_SAML_ENCRYPTION_PRIVATEKEY
- unarmoured content ofkey-pkcs1.pem
fileIDP_SAML_ENCRYPTION_CERTIFICATE
- unarmoured content ofcert.pem
file
Testing¶
Once properties are configured you need to start/restart the Onegini IdP application. Once it's up please check the SAML metadata advertised by the Onegini IdP
under https://idp-core.dev.onegini.me/saml/metadata location and search for md:KeyDescriptor
nodes. You should be able to find public keys for both signing
and encryption
.