keycloak-scim/securing_apps/topics/saml/java/general-config/idp_keys_subelement.adoc

[[_sp-idp-keys]]

===== IDP Keys sub element

The Keys sub element of IDP is only used to define the certificate or public key to use to verify documents signed by the IDP.
It is defined in the same way as the <<_saml-sp-keys,SP's Keys element>>.
But again, you only have to define one certificate or public key reference. Note that, if both IDP and SP are realized by
{project_name} server and adapter, respectively, there is no need to specify the keys for signature validation, see below.

[[_sp-idp-keys-automatic]]
It is possible to configure SP to obtain public keys for IDP signature validation
from published certificates automatically, provided both SP and IDP are
implemented by {project_name}.
This is done by removing all declarations of signature validation keys in Keys
sub element. If the Keys sub element would then remain empty, it can be omitted
completely. The keys are then automatically obtained by SP from SAML descriptor,
location of which is derived from SAML endpoint URL specified in the
<<_sp-idp-singlesignonservice,IDP SingleSignOnService sub element>>.
Settings of the HTTP client that is used for SAML descriptor retrieval usually
needs no additional configuration, however it can be configured in the
<<_sp-idp-httpclient,IDP HttpClient sub element>>.

It is also possible to specify multiple keys for signature verification. This is done by declaring multiple Key elements
within Keys sub element that have `signing` attribute set to `true`.
This is useful for example in situation when the IDP signing keys are rotated: There is
usually a transition period when new SAML protocol messages and assertions are signed
with the new key but those signed by previous key should still be accepted.

It is not possible to configure {project_name} to both obtain the keys
for signature verification automatically and define additional static signature
verification keys.

[source,xml]
----
       <IDP entityID="idp">
            ...
            <Keys>
                <Key signing="true">
                    <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
                        <Certificate alias="demo"/>
                    </KeyStore>
                </Key>
            </Keys>
        </IDP>
----
Revert "fixed Wildfly mentions and faulty links with underscores" This reverts commit 1ecbc1ba14075203af437295927699adf84cc428. 2019-01-21 17:01:40 +00:00			`[[_sp-idp-keys]]`
initial saml 2016-06-02 16:07:45 +00:00
KEYCLOAK-1881 - SAML key rotation at IdP side 2016-11-04 20:43:30 +00:00			`===== IDP Keys sub element`
initial saml 2016-06-02 16:07:45 +00:00
			`The Keys sub element of IDP is only used to define the certificate or public key to use to verify documents signed by the IDP.`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`It is defined in the same way as the <<_saml-sp-keys,SP's Keys element>>.`
KEYCLOAK-1881 - SAML key rotation at IdP side 2016-11-04 20:43:30 +00:00			`But again, you only have to define one certificate or public key reference. Note that, if both IDP and SP are realized by`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`{project_name} server and adapter, respectively, there is no need to specify the keys for signature validation, see below.`
KEYCLOAK-1881 - SAML key rotation at IdP side 2016-11-04 20:43:30 +00:00
Revert "fixed Wildfly mentions and faulty links with underscores" This reverts commit 1ecbc1ba14075203af437295927699adf84cc428. 2019-01-21 17:01:40 +00:00			`[[_sp-idp-keys-automatic]]`
KEYCLOAK-1881 - SAML key rotation at IdP side 2016-11-04 20:43:30 +00:00			`It is possible to configure SP to obtain public keys for IDP signature validation`
			`from published certificates automatically, provided both SP and IDP are`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`implemented by {project_name}.`
KEYCLOAK-1881 - SAML key rotation at IdP side 2016-11-04 20:43:30 +00:00			`This is done by removing all declarations of signature validation keys in Keys`
			`sub element. If the Keys sub element would then remain empty, it can be omitted`
			`completely. The keys are then automatically obtained by SP from SAML descriptor,`
			`location of which is derived from SAML endpoint URL specified in the`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`<<_sp-idp-singlesignonservice,IDP SingleSignOnService sub element>>.`
KEYCLOAK-1881 - SAML key rotation at IdP side 2016-11-04 20:43:30 +00:00			`Settings of the HTTP client that is used for SAML descriptor retrieval usually`
			`needs no additional configuration, however it can be configured in the`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`<<_sp-idp-httpclient,IDP HttpClient sub element>>.`
KEYCLOAK-1881 - SAML key rotation at IdP side 2016-11-04 20:43:30 +00:00
			`It is also possible to specify multiple keys for signature verification. This is done by declaring multiple Key elements`
			within Keys sub element that have `signing` attribute set to `true`.
			`This is useful for example in situation when the IDP signing keys are rotated: There is`
			`usually a transition period when new SAML protocol messages and assertions are signed`
			`with the new key but those signed by previous key should still be accepted.`

Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`It is not possible to configure {project_name} to both obtain the keys`
KEYCLOAK-1881 - SAML key rotation at IdP side 2016-11-04 20:43:30 +00:00			`for signature verification automatically and define additional static signature`
			`verification keys.`
saml general config 2016-06-02 20:50:43 +00:00
			`[source,xml]`
			`----`
			`<IDP entityID="idp">`
			`...`
			`<Keys>`
			`<Key signing="true">`
			`<KeyStore resource="/WEB-INF/keystore.jks" password="store123">`
			`<Certificate alias="demo"/>`
			`</KeyStore>`
			`</Key>`
			`</Keys>`
			`</IDP>`
			`----`