I am new to this concept of SAML certificates.
I am currently working on configuring an SSO for a website and need to know how I can generate a SAML certificate? The setup I am using for this website is not via Azure, but directly from the vendor site and they are requesting my SAML certificate. Do I need a special tool to do this? and does it need to be registered before sending it out?
Run the command below to create the certificate
e.g:
keytool -genkey -alias saml -dname "CN=mydomain.com, C=NO" -keystore saml-keystore -keyalg RSA -validity 730 -keysize 1024
Send the public certificate to the SAML Consumer party
The SAML Consumer needs to know the public part of your certificate. You may export the public part of the certificate and send this.
keytool -export -rfc -keystore saml-keystore -alias saml -file saml-cert.public
Here is whole details also it, Also there is some other online tool which helps in create certificate online like samltool
There's no such thing as SAML certificate. SAML uses self-signed X.509 certificates that can be generated manually using the openssl. There are number of tutorials on the web how to create such certificate.
Some identity provider will generate the public key and certificate for you.
Keycloak does this and will allow to copy it in the Realms settings.
Related
I'm running a stand-alone instance of Wiremock for mocking in JUnit tests. This works fine with http and if I use the wiremock self-signed cert with the switch --https-port 8443. If I specify --https-keystore server_keystore.jks however, any attempt to communicate with Wiremock e.g WireMock.reset(); throws a javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake. Connecting to the admin page https://localhost:9093/__admin/ in a browser shows a similar error about the connection being closed.
The keystore was generated as follows;
keytool -genkey -keyalg RSA -keysize 2048 -alias server -keypass secret -storepass secret -keystore server_keystore.jks
If I enable logging for all traffic in Wiremock I see;
Problem decoding network traffic
java.nio.charset.MalformedInputException: Input length = 1
I've added System.setProperty("javax.net.ssl.trustStore", "server_keystore.jks"); in my calling code prior to attempting to communicate with Wiremock with no success.
Since you've set a password on your keystore you'll need to provide this to WireMock via the --keystore-password parameter.
I have a CA pairkey and I need to sign a client pairkey for client authentication. I am using keytool for this. Based on this I have created a .p12 pairkey for my client. Then I create a CSR and then I sign it to have a .cer file.
My problem is that I want to "update" the cert in the p12 with this signed certificate. Basically, I need to import the keypair into the Personal Certificates for client authentication, but Windows will accept the p12 (which is not signed) and not the .cer (since it has no private key).
How can I update the p12 with the new signed public cert? Thanks.
NOTE: I prefer not to have any intermediate cert and I don't want to use OpenSSL, I need to use keytool
EDIT - By the way, when I try to import the signed certificate into the .p12 I get a keytool error: java.lang.Exception: Failed to establish chain from reply
EDIT - This link and this link seem to address my problem, but it is using OpenSSL and other tools, not keytool.
I have a Spring SAML project that has a JKS with the public certificate of the IDP loaded into it. I have a theoretical question:
If I were to load in the issuing root or intermediate CA into the JKS, would that be sufficient for trusting the IDP and validating the IDP SAML messages? The benefit to doing this would be that future IDPs with a common issuer would be trusted without having to load in their certificate.
My understanding is that the actual public certificate of the IDP needs to be in the JDK so that Spring SAML can validate the request, however, isn't the X509 in the request sufficient for doing this and it's just a matter of validating that the certificate in the IDPs public metadata is from a trusted issuer?
I'm a bit over my head with this. Any insight or explanation will be greatly appreciated!
Yes, you can do that with the PKIX security profile. Loading the IDP certs into the keystore should be enough (provided the trustedKeys in extendedMetadata is null, which is the default).
See the manual, chapter security profiles for all the details.
From ADFS and ADFS 2.0 perspective is it possible to register Service Provider metadata that is using certificate (public key) that is not issued by signing authority ? I mean on self signing certificate.
Yes - you can use a self-signed certificate for the SP and that certificate is reflected in the SP metadata.
So you can generate it with the Java keytool etc.
Also ensure that you generate the certificate for a reasonable period - at least a year otherwise you will have to co0ntinually update the metadata on the ADFS side.
It should not be as described in following document -
Certificate Requirements for Federation Servers in section Determining your CA strategy
"ADFS does not require that certificates be issued by a CA. However, the SSL certificate (the certificate that is also used by default as the service communications certificate) must be trusted by the ADFS clients. We recommend that you not use self-signed certificates for these certificate types."
I'm using OpenSSO 8 which I haven't configured myself. It's fully configured and without any problems. My problem is that I need to find the issuer certificate used to validate digital signatures on the SAML credentials. Can you tell me where should I look for it?
You usually get the certificate in the metadata. Here is a link on how to exchange the metadata from OpenSSO
The certificates are actually stored in opensso/opensso folder and can be exported using keytool