Signed/encrypted assertions
-
Set up the example in Unsigned/unencrypted assertions.
-
Set up the SAML keystore:
-
Find the values of AM’s default SAML keypass and storepass:
$ more /path/to/am/secrets/default/.keypass $ more /path/to/am/secrets/default/.storepass
-
Copy the SAML keystore from the AM configuration to PingGateway:
$ cp /path/to/am/secrets/keystores/keystore.jceks /path/to/ig/secrets/keystore.jceks
Legacy keystore types such as JKS and JCEKS are supported but aren’t secure. Consider using the PKCS#12 keystore type.
-
-
Configure the Fedlet in PingGateway:
-
In
FederationConfig.properties
, make the following changes:-
Delete the following lines:
-
com.sun.identity.saml.xmlsig.keystore=%BASE_DIR%/security/keystores/keystore.jks
-
com.sun.identity.saml.xmlsig.storepass=%BASE_DIR%/.storepass
-
com.sun.identity.saml.xmlsig.keypass=%BASE_DIR%/.keypass
-
com.sun.identity.saml.xmlsig.certalias=test
-
com.sun.identity.saml.xmlsig.storetype=JKS
-
am.encryption.pwd=@AM_ENC_PWD@
-
-
Add the following line:
org.forgerock.openam.saml2.credential.resolver.class=org.forgerock.openig.handler.saml.SecretsSaml2CredentialResolver
This class is responsible for resolving secrets and supplying credentials.
Be sure to leave no space at the end of the line.
-
-
In
sp.xml
, make the following changes:-
Change
AuthnRequestsSigned="false"
toAuthnRequestsSigned="true"
. -
Add the following KeyDescriptor just before
</SPSSODescriptor>
<KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > <ds:X509Data> <ds:X509Certificate> </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> </SPSSODescriptor>
-
Copy the value of the signing certificate from
idp.xml
to this file:<KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MII...zA6 </ds:X509Certificate>
This is the public key used for signing so that the IDP can verify request signatures.
-
-
-
Replace the remote service provider in AM:
-
Select Applications > Federation > Entity Providers, and remove the
sp
entity provider. -
Drag in or import the new
sp.xml
updated in the previous step. -
Select Circles of Trust:
Circle of Trust
.
-
-
Set up PingGateway:
-
In the PingGateway configuration, set environment variables for the following secrets, and then restart PingGateway:
$ export KEYSTORE_SECRET_ID='a2V5c3RvcmU=' $ export SAML_KEYSTORE_STOREPASS_SECRET_ID='base64-encoded value of the SAML storepass' $ export SAML_KEYSTORE_KEYPASS_SECRET_ID='base64-encoded value of the SAML keypass'
The passwords are retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.
-
Remove
saml-handler.json
from the configuration, and add the following route, replacing the path tokeystore.jceks
with your path:-
Linux
-
Windows
$HOME/.openig/config/routes/saml-handler-secure.json
%appdata%\OpenIG\config\routes\saml-handler-secure.json
{ "name": "saml-handler-secure", "condition": "${find(request.uri.path, '^/saml')}", "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "KeyStoreSecretStore-1", "type" : "KeyStoreSecretStore", "config" : { "file" : "/path/to/ig/keystore.jceks", "storeType" : "jceks", "storePasswordSecretId" : "saml.keystore.storepass.secret.id", "entryPasswordSecretId" : "saml.keystore.keypass.secret.id", "secretsProvider" : "SystemAndEnvSecretStore-1", "mappings" : [ { "secretId" : "sp.signing.sp", "aliases" : [ "rsajwtsigningkey" ] }, { "secretId" : "sp.decryption.sp", "aliases" : [ "test" ] } ] } } ], "handler": { "type": "SamlFederationHandler", "config": { "useOriginalUri": true, "assertionMapping": { "username": "cn", "password": "sn" }, "subjectMapping": "sp-subject-name", "redirectURI": "/home/federate", "secretsProvider" : "KeyStoreSecretStore-1" } } }
Notice the following features of the route compared to
saml-handler.json
:-
The SamlFederationHandler refers to the KeyStoreSecretStore to provide the keys for the signed and encrypted SAML assertions.
-
The secret IDs,
sp.signing.sp
andsp.decryption.sp
, follow a naming convention based on the name of the service provider,sp
. -
The alias for the signing key corresponds to the PEM in
keystore.jceks
.
-
-
Restart PingGateway.
-
-
Test the setup:
-
Log out of AM, and test the setup with the following links:
-
Log in to AM with username
demo
and passwordCh4ng31t
.PingGateway returns the response page showing that the the demo user has logged in.
-