Q. How do I change the signing key for SAML2?

A. The default ‘test ‘ security alias used for the SAML2 ( and OAuth ) signing key is used by the XUI and for REST authentication.
See Changing Default Key Aliases for far information.

Q. Where are the SAML keys stored?

A. Assuming the SAML sign has been implemented, the keypair ( private/public keystone ) for SAML encoding and sign is stored in the AM keystore, which differs depending on which interpretation you are using.
AM uses a JCEKS keystore as its default keystore. The default location is: /path/to/openAM/keystore.jceks. You can change this by navigating to configure > Server Defaults > Security > Key Store > Keystore File.

Q. How do I list the keys in my keystore?

A. You can list all the keys in your keystore using one of the following commands depending on your keystore format :

  • JCEKS format:  $ keytool -list -v -keystore [ keystore ] -storetype JCEKS -storepass [ password ]
  • JKS format:  $ keytool -list -v -keystore [ keystore ] -storepass [ password ]

replacing [ keystore ] with the full path and name of the keystore file, and [ password ] with the keystore password.

Q. Can I use the same signing key for multiple IdPs?

A. Yes, you can use the same sign key with multiple hosted IdPs if required.

Q. Can I have multiple keys in the keystore used for signing so that I can have a different key for
each IdP?

A. Yes you can. You then need to add the right alias and password combination to each IdP entity.
See Setting Up Keys and Keystores for further information.

Q. Do I have to import a certificate into the keystore for XML signing or will AM use the
certificate provided in the MetaData?

A. It depends on what you are trying to do in the following situations :
Setting up federation
When you initially configure federation between AM and the entity supplier, you need to import the entity provider’s metadata. The metadata itself can be signed. If it is signed, you must have a way to trust it and typically this means you need to import the certificate into the keystore. however, if you have obtained the metadata from a trusted source, you can remove the Signature block from the metadata and meaning it without needing to import the security.
The Signature blockage in the metadata is the  part shown
in the following example:</signature …>

<

EntityDescriptor

>

<

Signature

xmlns

=

“http://www.w3.org/2000/09/xmldsig#”

>

… …

<

SignatureValue

>

SignatureValue

>

<

X509Certificate

> … < p class= ” hljs-name ” X509Certificate>


< phosphorus class= ” hljs-name ” signature>

< p class= ” hljs-name ” doctor of medicine : EntityDescriptor>
When this signature block is present, the certificate in the  tag must
be trusted.
Verifying signatures
once confederation is configured, you may choose to receive signed requests from the Service Provider for example. If the metadata imported into AM contained security, AM will use that certificate to verify the signature of the request mean you do not need to import a certificate. This security will be in the  or the  block, for example:

<

EntityDescriptor

>

<

SPSSODescriptor

>

<

KeyDescriptor

use

=

“signing”

>

<

KeyInfo

xmlns

=

“http://www.w3.org/2000/09/xmldsig#”

>

<

X509Data

>

<

X509Certificate

>

X509Certificate

>
< phosphorus class= ” hljs-name ” X509Data>

< phosphorus class= ” hljs-name ” SPSSODescriptor>
< p class= ” hljs-name ” EntityDescriptor>
If either the  or the  block is present,
AM will use that certificate to verify the signatures; if it is not present, you will need to import
the certificate into the keystore.

Q. Why isn’t the SAML certificate expiration date checked?

A. The passing date isn’t checked per the SAML specification: SAML V2.0 Metadata Interoperability Profile. In finical, refer to the Key Representation section, which states :

In the event of an X.509 security, there are no requirements as to the content of the certificate apart from the necessity that it contain the allow populace key. specifically, the certificate may be expired, not yet valid, carry critical or non-critical extensions or usage flags, and contain any subject or issuer. The use of the certificate structure is merely a matter of notational convenience to communicate a key and has no semantics in this profile apart from that. however, it is RECOMMENDED that certificates be unexpired .

An RFE exists to provide an option for checking for passing dates: OPENAM-8973 ( request for a configuration enhancement that allows the option to check for a SAML/Federation-based certificate termination date ).

Q. How can I check if SAML signing has been implemented?

A. You can check in the console table :

  • AM 6 and later console: navigate to Realms > [Realm Name] >
    Applications > Federation > Entity Providers > [Name of Provider] > Assertion
    Content > Signing and Encryption and checking which options have been selected.
  • AM 5.x console: navigate to: Realms > [Realm Name] > Applications >
    SAML > Circle of Trust Configuration > Entity Providers > [Name of Provider]
    > Assertion Content > Signing and Encryption and checking which options have been
    selected.

Q. Can I sign anything other than the assertion?

A. Yes, you can choose which parts of the request or reply are signed as follows :

  • In the SP, you can sign the following:
    • Authentication Requests
    • Assertions
    • Post Response
    • Artifact Response
    • Logout Request
    • Logout Response
    • Manage Name ID Request
    • Manage Name ID Response
  • In the IdP, you can sign the following:
    • Authentication Request
    • Artifact Resolve
    • Logout Request
    • Logout Response
    • Manage Name ID Request
    • Manage Name ID Response

You can set these options in the console

  • AM 6 and later console: navigate to Realms > [Realm Name] >
    Applications > Federation > Entity Providers > [Name of Provider] > Assertion
    Content > Signing and Encryption.
  • AM 5.x console: navigate to: Realms > [Realm Name] > Applications >
    SAML > Circle of Trust Configuration > Entity Providers > [Name of Provider]
    > Assertion Content > Signing and Encryption.

Q. How do I use an existing CA signed certificate (in PEM format) for signing SAML requests?

A. You need to add the CA signed certificate to the AM keystore in orderliness to use it for SAML sign language. You can do this as follows :

  1. Convert the PEM certificate file to PKCS#12 (.p12) using the openssl third-party
    tool:  $ openssl pkcs12 -export -in [ saml.crt ] -inkey [ saml.key ] -out [ saml.p12 ] -name [ alias ]replacing [saml.crt], [saml.key], [saml.p12] and [alias] with
    appropriate values.
  2. Import the p12 file generated in step 1 into the AM keystore using the keytool
    command:  $ keytool -importkeystore -deststorepass [ changeit ] -destkeypass [ changeit ] -destkeystore [ AMkeystore ] -srckeystore [ saml.p12 ] -srcstoretype PKCS12 -srcstorepass [ password ] -alias [ alias ]replacing [changeit], [AMkeystore], [saml.p12],
    [password] and [alias] with appropriate values.

Q. How do I get the certificate out of the keystore in PEM format?

A. You can use the pursuit keytool instruction to retrieve the security from the keystore in PEM format :
$ keytool -exportcert -alias [ alias ] -keypass [ keypassword ] -keystore [ keystore ] -storepass [ storepassword ] -rfc -file [ keyStore.pem ]
replacing [ alias ], [ keypassword ], [ keystore ], [ storepassword ] and [ keyStore.pem ] with allow values, where :

  • [keypassword] is the password used to protect the private key of the generated key pair.
  • [keystore] is the full path and name of the keystore file.
  • [storepassword] is the keystore password.

Q. How do I convert a PEM certificate file and private key to PKCS#12 (.pfx .p12)?

A. You can use the openssl third-party joyride to perform this conversion using the watch command :
$ openssl pkcs12 -export -out [ certificate.pfx ] -inkey [ privateKey.key ] -in [ certificate.crt ] -certfile [ CACert.crt ]
replacing [ certificate.pfx ], [ privateKey.key ], [ certificate.crt ] and [ CACert.crt ] with allow values .

Q. How do I convert a PKCS#12 file (.pfx .p12) that contains a private key and certificates to PEM
format?

A. You can use the openssl third-party tool to perform this conversion using the following instruction :
$ openssl pkcs12 -in [ keyStore.pfx ] -out [ keyStore.pem ] -nodes
replacing [ keyStore.pfx ] and [ keyStore.pem ] with appropriate values

Note

You can add -nocerts to only output the secret samara or add -nokeys to only end product the certificates.

Q. What is the certificate alias setting under Server Defaults used for?

A. The nonpayment server certificate alias determine is used for SAML 1.x confederation. This property ( com.sun.identity.saml.xmlsig.certalias ) is equivalent to the SAML 1.x default bless samara. It can be found by navigating to : configure > Server Defaults > Security > Key Store .
Certificate aliases used for SAML2 confederation are maintainable in the console table

  • AM 6 and later console: navigate to Realms > [Realm Name] >
    Applications > Federation > Entity Providers > [Name of Provider] > Assertion
    Content > Signing and Encryption.
  • AM 5.x console: navigate to: Realms > [Realm Name] > Applications >
    SAML > Circle of Trust Configuration > Entity Providers > [Name of Provider]
    > Assertion Content > Signing and Encryption.

Leave a Reply

Your email address will not be published.