Last modified by jhurst on 2024/04/02 14:26
Show last authors
1 Summary:
2
3 {{toc/}}
4
5 = I. Prerequisites =
6
7 In this document we will call:
8
9 |SP: Service Provider or Service Provider|IdP: Identity Provider
10 | |
11 |Kpr (SP): the private key of SP|Kpr (IdP): the private key of the IdP
12 |Kpb (SP): the public key of SP|Kpb (IdP): the public key to IdP
13
14 ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
15
16 Have the following items available:
17
18 * the SP private key
19 * the public key of the SP
20 * the IdP public key
21 * OpenSSL: a tool for handling objects used for secure connections (x509 certificates, signatures, encryption, etc.). It allows in particular the formatting of certificates.
22
23 **Important ** :
24
25 If both parties (SP and IdP) are expected to sign their data,
26
27 * In particular, care should be taken to ensure that certificates with the public keys exchanged are certified by a certification authority (CA-signed certificate).
28 * In the case of self-signed certificates, it will be necessary to check whether these are supported by either of the parties.
29
30 == II. Principles ==
31
32 The actors and tools necessary for the implementation of a secure SAMLv2 communication (encrypted and / or signed) can be summarized as follows:
33
34 |Service Provider
35 (SP Service Provider)|Communication|Unifying identity
36 (Identity Provider IdP)
37 |Encrypts data with Kpb (IdP)|(% rowspan="2" %)(((
38 **>**
39
40 The SP sends the encrypted and / or signed authentication request to the IdP
41 )))|Decrypt data with Kpr (IdP)
42 |Sign data with Kpr (SP)|Valid signature with Kpb (SP)
43 | | |
44 |Decrypt data with Kpr (SP)|(% rowspan="2" %)(((
45 **<**
46
47 The IdP sends the encrypted and / or signed SAMLv2 response to the SP
48 )))|Encrypts data with Kpb (SP)
49 |Valid signature with Kpb (IdP)|Sign data with Kpr (IdP)
50
51 __Principle: encryption and signature of the data exchanged between the SP and the IdP__
52
53 The SP must therefore be aware of
54
55 - the SP private key
56
57 - the public key of the SP
58
59 - the public key of the IdP
60
61 == III. Formatting of private keys ==
62
63
64 Onelogin requires PKCS # 8 format for private keys (the content of the key must start with "BEGIN PRIVATE KEY").
65
66 If you ever have a private key in PKCS # 1 format (the content of the key begins with "BEGIN RSA PRIVATE KEY"), format it by generating a new private key in the correct format using the command:
67
68 openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem
69
70 = IV. Retrieving keys in a string =
71
72
73 Onelogin provides online tools to recover keys in the form of a character string without losing the format.
74
75 //IV.1 Public key//
76
77 We can use the tool available via the following link to retrieve the character string corresponding to a **public ** key :
78
79 [[https:~~/~~/developers.onelogin.com/saml/online-tools/x509-certs/format-x509-certificate>>url:https://developers.onelogin.com/saml/online-tools/x509-certs/format-x509-certificate]]
80
81 We want to recover the public key in the following form ( **WITH headers and WITHOUT carriage return** ):
82
83 ~-~-~-~--BEGIN CERTIFICATE~-~-~-~--XXXXXXX~-~-~-~--END CERTIFICATE~-~-~-~--
84
85 with XXXXXXX the content of the “X.509 cert in string format” section
86
87 [[image:http://rack-lure:8585/bin/download/Digdash_2019R2/others_documents/config_auth_saml2_sec/WebHome/1592386898235-169.png?width=467&height=531&rev=1.1||alt="1592386898235-169.png"]]
88
89 __Onelogin online tool: formatting an x509 certificate containing a public key__
90
91 == IV.2 Private key ==
92
93
94 We can use the tool available via the following link to retrieve the character string corresponding to a **private** key :
95
96 [[https:~~/~~/developers.onelogin.com/saml/online-tools/x509-certs/format-private-key>>url:https://developers.onelogin.com/saml/online-tools/x509-certs/format-private-key]]
97
98 We want to recover the private key in the following form ( **WITH headers and WITHOUT carriage return** ):
99
100 ~-~-~-~--BEGIN PRIVATE KEY~-~-~-~--YYYYYYY~-~-~-~--END PRIVATE KEY~-~-~-~--
101
102 with YYYYYYY the content of the “Private Key in string format” section
103
104 [[image:http://rack-lure:8585/bin/download/Digdash_2019R2/others_documents/config_auth_saml2_sec/WebHome/1592386741842-227.png?width=504&height=591&rev=1.1||alt="1592386741842-227.png"]]
105
106 __Onelogin online tool: formatting a private key__
107
108 = V. Overloading of properties in the security file =
109
110
111 In the SAMLv2 security file (.properties) add the following properties:
112
113 onelogin.saml2.sp.x509cert: the certificate containing the public key of the SP
114
115 onelogin.saml2.sp.privatekey: the SP private key
116
117 onelogin.saml2.idp.x509cert: the certificate containing the IdP public key
118
119 __Extract from the SAMLv2 security file overloading the properties concerning public / private keys__
120
121 (% class="box" %)
122 (((
123 ...
124 \\# Service Provider Data that DigDash deploys
125 \\onelogin.saml2.sp.x509cert = ~-~-~-~--BEGIN CERTIFICATE~-~-~-~--XXXXXXX~-~-~-~--END CERTIFICATE~-~-~-~--
126 onelogin.saml2.sp.privatekey = ~-~-~-~--BEGIN PRIVATE KEY~-~-~-~--YYYYYYY~-~-~-~--END PRIVATE KEY~-~-~-~--
127 \\\\# Identity Provider Data used to connect with DigDash (SP)
128 \\onelogin.saml2.idp.x509cert = ~-~-~-~--BEGIN CERTIFICATE~-~-~-~--ZZZZZZZ~-~-~-~--END CERTIFICATE~-~-~-~--
129 \\...
130 )))
131
132