14.5.6. Digital Signatures in SAML Assertions
14.5.6.1. Configuring the KeyProvider
To support digital signatures of SAML assertions you should define a KeyProvider element inside a PicketLinkIDP or PicketLinkSP.
Important
When using digital signatures you need to configure and enable it in both Identity Provider and Service Providers. Otherwise the SAML assertions would probably be considered as invalid.
<KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="/jbid_test_keystore.jks" />
<Auth Key="KeyStorePass" Value="store123" />
<Auth Key="SigningKeyPass" Value="test123" />
<Auth Key="SigningKeyAlias" Value="servercert" />
<ValidatingAlias Key="idp.example.com" Value="servercert" />
<ValidatingAlias Key="localhost" Value="servercert" />
</KeyProvider>
In order to configure the KeyProvider, you need to specify some configurations about the Java KeyStore that should be used to sign SAML assertions:
|
Auth Key
|
Description
|
|---|---|
|
KeyStoreURL
|
Where the value of the Value attribute points to the location of a Java KeyStore with the properly installed certificates.
|
|
KeyStorePass
|
Where the value of the Value attribute refers to the password of the referenced Java KeyStore.
|
|
SigningKeyAlias
|
Where the value of the Value attribute refers to the password of the installed certificate to be used to sign the SAML assertions.
|
|
SigningKeyPass
|
Where the value of the Value attribute refers to the alias of the certificate to be used to sign the SAML assertions.
|
The Service Provider also needs to know how to verify the signatures for the SAML assertions. This is done by the ValidationAlias elements.
<ValidatingAlias Key="idp.example.com" Value="servercert" />
Tip
Note that we declare the validating certificate for each domain using the ValidatingAlias .
At the IDP side you need an entry for each server/domain name defined as a trusted domain (Trust/Domains elements).
At the SP side you need an entry for the the server/domain name where the IDP is deployed.