2019-01-21 16:15:22 +00:00
|
|
|
[[sp-idp-keys]]
|
2016-06-02 16:07:45 +00:00
|
|
|
|
2016-11-04 20:43:30 +00:00
|
|
|
===== IDP Keys sub element
|
2016-06-02 16:07:45 +00:00
|
|
|
|
|
|
|
The Keys sub element of IDP is only used to define the certificate or public key to use to verify documents signed by the IDP.
|
2017-08-28 12:50:14 +00:00
|
|
|
It is defined in the same way as the <<_saml-sp-keys,SP's Keys element>>.
|
2016-11-04 20:43:30 +00:00
|
|
|
But again, you only have to define one certificate or public key reference. Note that, if both IDP and SP are realized by
|
2017-08-28 12:50:14 +00:00
|
|
|
{project_name} server and adapter, respectively, there is no need to specify the keys for signature validation, see below.
|
2016-11-04 20:43:30 +00:00
|
|
|
|
2019-01-21 16:15:22 +00:00
|
|
|
[[sp-idp-keys-automatic]]
|
2016-11-04 20:43:30 +00:00
|
|
|
It is possible to configure SP to obtain public keys for IDP signature validation
|
|
|
|
from published certificates automatically, provided both SP and IDP are
|
2017-08-28 12:50:14 +00:00
|
|
|
implemented by {project_name}.
|
2016-11-04 20:43:30 +00:00
|
|
|
This is done by removing all declarations of signature validation keys in Keys
|
|
|
|
sub element. If the Keys sub element would then remain empty, it can be omitted
|
|
|
|
completely. The keys are then automatically obtained by SP from SAML descriptor,
|
|
|
|
location of which is derived from SAML endpoint URL specified in the
|
2017-08-28 12:50:14 +00:00
|
|
|
<<_sp-idp-singlesignonservice,IDP SingleSignOnService sub element>>.
|
2016-11-04 20:43:30 +00:00
|
|
|
Settings of the HTTP client that is used for SAML descriptor retrieval usually
|
|
|
|
needs no additional configuration, however it can be configured in the
|
2017-08-28 12:50:14 +00:00
|
|
|
<<_sp-idp-httpclient,IDP HttpClient sub element>>.
|
2016-11-04 20:43:30 +00:00
|
|
|
|
|
|
|
It is also possible to specify multiple keys for signature verification. This is done by declaring multiple Key elements
|
|
|
|
within Keys sub element that have `signing` attribute set to `true`.
|
|
|
|
This is useful for example in situation when the IDP signing keys are rotated: There is
|
|
|
|
usually a transition period when new SAML protocol messages and assertions are signed
|
|
|
|
with the new key but those signed by previous key should still be accepted.
|
|
|
|
|
2017-08-28 12:50:14 +00:00
|
|
|
It is not possible to configure {project_name} to both obtain the keys
|
2016-11-04 20:43:30 +00:00
|
|
|
for signature verification automatically and define additional static signature
|
|
|
|
verification keys.
|
2016-06-02 20:50:43 +00:00
|
|
|
|
|
|
|
[source,xml]
|
|
|
|
----
|
|
|
|
<IDP entityID="idp">
|
|
|
|
...
|
|
|
|
<Keys>
|
|
|
|
<Key signing="true">
|
|
|
|
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
|
|
|
|
<Certificate alias="demo"/>
|
|
|
|
</KeyStore>
|
|
|
|
</Key>
|
|
|
|
</Keys>
|
|
|
|
</IDP>
|
|
|
|
----
|