2016-06-02 16:07:45 +00:00
[[_saml-sp-keys]]
===== SP Keys and Key elements
2016-06-02 20:50:43 +00:00
If the IDP requires that the client application (SP) sign all of its requests and/or if the IDP will encrypt assertions, you must define the keys used to do this.
2016-06-02 16:07:45 +00:00
For client signed documents you must define both the private and public key or certificate that will be used to sign documents.
For encryption, you only have to define the private key that will be used to decrypt.
There are two ways to describe your keys.
2016-06-02 20:50:43 +00:00
They can be stored within a Java KeyStore or you can or you can cut and paste the keys directly within `keycloak-saml.xml` in the PEM format.
2016-06-02 16:07:45 +00:00
[source,xml]
----
<Keys>
<Key signing="true" >
2016-06-02 20:50:43 +00:00
...
2016-06-02 16:07:45 +00:00
</Key>
</Keys>
----
The `Key` element has two optional attributes `signing` and `encryption`.
When set to true these tell the adapter what the key will be used for.
If both attributes are set to true, then the key will be used for both signing documents and decrypting encrypted assertions.
You must set at least one of these attributes to true.
