Signed/encrypted assertions
This example set up federation using AM as the identity provider with signed/encrypted assertions.
Before you start, set up and test the example in Unsigned/unencrypted assertions.
-
Set up the SAML keystore:
-
Find the values of AM’s default SAML keypass and storepass:
$ more /path/to/am/secrets/default/.keypass $ more /path/to/am/secrets/default/.storepass
-
Copy the SAML keystore from the AM configuration to PingGateway:
$ cp /path/to/am/secrets/keystores/keystore.jceks /path/to/ig/secrets/keystore.jceks
Legacy keystore types such as JKS and JCEKS are supported but aren’t secure. Consider using the PKCS#12 keystore type.
-
-
Configure the Fedlet in PingGateway:
-
In
FederationConfig.properties
, make the following changes:-
Delete the following lines:
-
com.sun.identity.saml.xmlsig.keystore=%BASE_DIR%/security/keystores/keystore.jks
-
com.sun.identity.saml.xmlsig.storepass=%BASE_DIR%/.storepass
-
com.sun.identity.saml.xmlsig.keypass=%BASE_DIR%/.keypass
-
com.sun.identity.saml.xmlsig.certalias=test
-
com.sun.identity.saml.xmlsig.storetype=JKS
-
am.encryption.pwd=@AM_ENC_PWD@
-
-
Add the following line:
org.forgerock.openam.saml2.credential.resolver.class=org.forgerock.openig.handler.saml.SecretsSaml2CredentialResolver
This class is responsible for resolving secrets and supplying credentials.
Be sure to leave no space at the end of the line.
-
-
In
sp.xml
, make the following changes:-
Change
AuthnRequestsSigned="false"
toAuthnRequestsSigned="true"
. -
Add the following KeyDescriptor just before
</SPSSODescriptor>
<KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > <ds:X509Data> <ds:X509Certificate> </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> </SPSSODescriptor>
-
Copy the value of the signing certificate from
idp.xml
to this file:<KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MII...zA6 </ds:X509Certificate>
This is the public key used for signing so that the IDP can verify request signatures.
-
-
-
Replace the remote service provider in AM:
-
Select Applications > Federation > Entity Providers, and remove the
sp
entity provider. -
Drag in or import the new
sp.xml
updated in the previous step. -
Select Circles of Trust:
Circle of Trust
.
-
-
Set up PingGateway
-
In the PingGateway configuration, set environment variables for the following secrets, and then restart PingGateway:
$ export KEYSTORE_SECRET_ID='a2V5c3RvcmU=' $ export SAML_KEYSTORE_STOREPASS_SECRET_ID='base64-encoded value of the SAML storepass' $ export SAML_KEYSTORE_KEYPASS_SECRET_ID='base64-encoded value of the SAML keypass'
The passwords are retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.
-
Remove
saml-filter.json
from the configuration, and add the following route, replacing the path tokeystore.jceks
with your path:-
Linux
-
Windows
$HOME/.openig/config/routes/saml-filter-secure.json
%appdata%\OpenIG\config\routes\saml-filter-secure.json
{ "name": "saml-filter-secure", "baseURI": "http://app.example.com:8081", "condition": "${find(request.uri.path, '^/home')}", "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "KeyStoreSecretStore-1", "type" : "KeyStoreSecretStore", "config" : { "file" : "/path/to/ig/keystore.jceks", "storeType" : "jceks", "storePasswordSecretId" : "saml.keystore.storepass.secret.id", "entryPasswordSecretId" : "saml.keystore.keypass.secret.id", "secretsProvider" : "SystemAndEnvSecretStore-1", "mappings" : [ { "secretId" : "sp.signing.sp", "aliases" : [ "rsajwtsigningkey" ] }, { "secretId" : "sp.decryption.sp", "aliases" : [ "test" ] } ] } } ], "handler": { "type": "Chain", "config": { "filters": [ { "name": "SamlFilter", "type": "SamlFederationFilter", "config": { "assertionMapping": { "name": "cn", "surname": "sn" }, "subjectMapping": "sp-subject-name", "redirectURI": "/home/saml-filter", "secretsProvider" : "KeyStoreSecretStore-1" } }, { "name": "SetSamlHeaders", "type": "HeaderFilter", "config": { "messageType": "REQUEST", "add": { "x-saml-cn": [ "${toString(session.name)}" ], "x-saml-sn": [ "${toString(session.surname)}" ] } } } ], "handler": "ReverseProxyHandler" } } }
Notice the following features of the route compared to
saml-filter.json
:-
The SamlFederationHandler refers to the KeyStoreSecretStore to provide the keys for the signed and encrypted SAML assertions.
-
The secret IDs,
sp.signing.sp
andsp.decryption.sp
, follow a naming convention based on the name of the service provider,sp
. -
The alias for the signing key corresponds to the PEM in
keystore.jceks
.
-
-
Restart PingGateway.
-
-
Test the setup:
-
In your browser’s privacy or incognito mode, go to https://sp.example.com:8443/home.
-
Log in to AM as user
demo
, passwordCh4ng31t
. The request is redirected to the sample application.
-
If a request returns an HTTP 414 URI Too Long error, consider the information in URI Too Long error. |