keycloak-scim/securing_apps/topics/saml/java/general-config/sp-keys.adoc

[[_saml-sp-keys]]

===== Service Provider Keys and Key Elements

If the IdP requires that the client application (or SP) sign all of its requests and/or if the IdP will encrypt assertions, you must define the keys used to do this.
For client-signed documents you must define both the private and public key or certificate that is used to sign documents.
For encryption, you only have to define the private key that is used to decrypt it. 

There are two ways to describe your keys.
They can be stored within a Java KeyStore or you can copy/paste the keys directly within `keycloak-saml.xml` in the PEM format.

[source,xml]
----

        <Keys>
            <Key signing="true" >
               ...
            </Key>
        </Keys>
----

The `Key` element has two optional attributes `signing` and `encryption`.
When set to true these tell the adapter what the key will be used for.
If both attributes are set to true, then the key will be used for both signing documents and decrypting encrypted assertions.
You must set at least one of these attributes to true.
Revert "fixed Wildfly mentions and faulty links with underscores" This reverts commit 1ecbc1ba14075203af437295927699adf84cc428. 2019-01-21 17:01:40 +00:00			`[[_saml-sp-keys]]`
initial saml 2016-06-02 16:07:45 +00:00
WIP: mod_auth_mellon edits 2017-02-03 22:14:17 +00:00			`===== Service Provider Keys and Key Elements`
initial saml 2016-06-02 16:07:45 +00:00
WIP: mod_auth_mellon edits 2017-02-03 22:14:17 +00:00			`If the IdP requires that the client application (or SP) sign all of its requests and/or if the IdP will encrypt assertions, you must define the keys used to do this.`
			`For client-signed documents you must define both the private and public key or certificate that is used to sign documents.`
			`For encryption, you only have to define the private key that is used to decrypt it.`
initial saml 2016-06-02 16:07:45 +00:00
			`There are two ways to describe your keys.`
Update topics/saml/java/general-config/sp-keys.adoc 2016-06-10 10:58:38 +00:00			They can be stored within a Java KeyStore or you can copy/paste the keys directly within `keycloak-saml.xml` in the PEM format.
initial saml 2016-06-02 16:07:45 +00:00
			`[source,xml]`
			`----`

			`<Keys>`
			`<Key signing="true" >`
saml general config 2016-06-02 20:50:43 +00:00			`...`
initial saml 2016-06-02 16:07:45 +00:00			`</Key>`
			`</Keys>`
			`----`

			The `Key` element has two optional attributes `signing` and `encryption`.
			`When set to true these tell the adapter what the key will be used for.`
			`If both attributes are set to true, then the key will be used for both signing documents and decrypting encrypted assertions.`
			`You must set at least one of these attributes to true.`