26 lines
1 KiB
Text
26 lines
1 KiB
Text
[[_saml-sp-keys]]
|
|
|
|
===== Service Provider Keys and Key Elements
|
|
|
|
If the IdP requires that the client application (or SP) sign all of its requests and/or if the IdP will encrypt assertions, you must define the keys used to do this.
|
|
For client-signed documents you must define both the private and public key or certificate that is used to sign documents.
|
|
For encryption, you only have to define the private key that is used to decrypt it.
|
|
|
|
There are two ways to describe your keys.
|
|
They can be stored within a Java KeyStore or you can copy/paste the keys directly within `keycloak-saml.xml` in the PEM format.
|
|
|
|
[source,xml]
|
|
----
|
|
|
|
<Keys>
|
|
<Key signing="true" >
|
|
...
|
|
</Key>
|
|
</Keys>
|
|
----
|
|
|
|
The `Key` element has two optional attributes `signing` and `encryption`.
|
|
When set to true these tell the adapter what the key will be used for.
|
|
If both attributes are set to true, then the key will be used for both signing documents and decrypting encrypted assertions.
|
|
You must set at least one of these attributes to true.
|
|
|