Wiki source code of Authentification SAMLv2 - Configuration
Last modified by jhurst on 2024/04/02 14:26
Show last authors
author | version | line-number | content |
---|---|---|---|
1 | Summary: | ||
2 | |||
3 | {{toc/}} | ||
4 | |||
5 | = I. Prerequisites = | ||
6 | |||
7 | In this document we will call: | ||
8 | |||
9 | |SP: Service Provider or Service Provider|IdP: Identity Provider | ||
10 | | | | ||
11 | |Kpr (SP): the private key of SP|Kpr (IdP): the private key of the IdP | ||
12 | |Kpb (SP): the public key of SP|Kpb (IdP): the public key to IdP | ||
13 | |||
14 | ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- | ||
15 | |||
16 | Have the following items available: | ||
17 | |||
18 | * the SP private key | ||
19 | * the public key of the SP | ||
20 | * the IdP public key | ||
21 | * OpenSSL: a tool for handling objects used for secure connections (x509 certificates, signatures, encryption, etc.). It allows in particular the formatting of certificates. | ||
22 | |||
23 | **Important ** : | ||
24 | |||
25 | If both parties (SP and IdP) are expected to sign their data, | ||
26 | |||
27 | * In particular, care should be taken to ensure that certificates with the public keys exchanged are certified by a certification authority (CA-signed certificate). | ||
28 | * In the case of self-signed certificates, it will be necessary to check whether these are supported by either of the parties. | ||
29 | |||
30 | == II. Principles == | ||
31 | |||
32 | The actors and tools necessary for the implementation of a secure SAMLv2 communication (encrypted and / or signed) can be summarized as follows: | ||
33 | |||
34 | |Service Provider | ||
35 | (SP Service Provider)|Communication|Unifying identity | ||
36 | (Identity Provider IdP) | ||
37 | |Encrypts data with Kpb (IdP)|(% rowspan="2" %)((( | ||
38 | **>** | ||
39 | |||
40 | The SP sends the encrypted and / or signed authentication request to the IdP | ||
41 | )))|Decrypt data with Kpr (IdP) | ||
42 | |Sign data with Kpr (SP)|Valid signature with Kpb (SP) | ||
43 | | | | | ||
44 | |Decrypt data with Kpr (SP)|(% rowspan="2" %)((( | ||
45 | **<** | ||
46 | |||
47 | The IdP sends the encrypted and / or signed SAMLv2 response to the SP | ||
48 | )))|Encrypts data with Kpb (SP) | ||
49 | |Valid signature with Kpb (IdP)|Sign data with Kpr (IdP) | ||
50 | |||
51 | __Principle: encryption and signature of the data exchanged between the SP and the IdP__ | ||
52 | |||
53 | The SP must therefore be aware of | ||
54 | |||
55 | - the SP private key | ||
56 | |||
57 | - the public key of the SP | ||
58 | |||
59 | - the public key of the IdP | ||
60 | |||
61 | == III. Formatting of private keys == | ||
62 | |||
63 | |||
64 | Onelogin requires PKCS # 8 format for private keys (the content of the key must start with "BEGIN PRIVATE KEY"). | ||
65 | |||
66 | If you ever have a private key in PKCS # 1 format (the content of the key begins with "BEGIN RSA PRIVATE KEY"), format it by generating a new private key in the correct format using the command: | ||
67 | |||
68 | openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem | ||
69 | |||
70 | = IV. Retrieving keys in a string = | ||
71 | |||
72 | |||
73 | Onelogin provides online tools to recover keys in the form of a character string without losing the format. | ||
74 | |||
75 | //IV.1 Public key// | ||
76 | |||
77 | We can use the tool available via the following link to retrieve the character string corresponding to a **public ** key : | ||
78 | |||
79 | [[https:~~/~~/developers.onelogin.com/saml/online-tools/x509-certs/format-x509-certificate>>url:https://developers.onelogin.com/saml/online-tools/x509-certs/format-x509-certificate]] | ||
80 | |||
81 | We want to recover the public key in the following form ( **WITH headers and WITHOUT carriage return** ): | ||
82 | |||
83 | ~-~-~-~--BEGIN CERTIFICATE~-~-~-~--XXXXXXX~-~-~-~--END CERTIFICATE~-~-~-~-- | ||
84 | |||
85 | with XXXXXXX the content of the “X.509 cert in string format” section | ||
86 | |||
87 | [[image:http://rack-lure:8585/bin/download/Digdash_2019R2/others_documents/config_auth_saml2_sec/WebHome/1592386898235-169.png?width=467&height=531&rev=1.1||alt="1592386898235-169.png"]] | ||
88 | |||
89 | __Onelogin online tool: formatting an x509 certificate containing a public key__ | ||
90 | |||
91 | == IV.2 Private key == | ||
92 | |||
93 | |||
94 | We can use the tool available via the following link to retrieve the character string corresponding to a **private** key : | ||
95 | |||
96 | [[https:~~/~~/developers.onelogin.com/saml/online-tools/x509-certs/format-private-key>>url:https://developers.onelogin.com/saml/online-tools/x509-certs/format-private-key]] | ||
97 | |||
98 | We want to recover the private key in the following form ( **WITH headers and WITHOUT carriage return** ): | ||
99 | |||
100 | ~-~-~-~--BEGIN PRIVATE KEY~-~-~-~--YYYYYYY~-~-~-~--END PRIVATE KEY~-~-~-~-- | ||
101 | |||
102 | with YYYYYYY the content of the “Private Key in string format” section | ||
103 | |||
104 | [[image:http://rack-lure:8585/bin/download/Digdash_2019R2/others_documents/config_auth_saml2_sec/WebHome/1592386741842-227.png?width=504&height=591&rev=1.1||alt="1592386741842-227.png"]] | ||
105 | |||
106 | __Onelogin online tool: formatting a private key__ | ||
107 | |||
108 | = V. Overloading of properties in the security file = | ||
109 | |||
110 | |||
111 | In the SAMLv2 security file (.properties) add the following properties: | ||
112 | |||
113 | onelogin.saml2.sp.x509cert: the certificate containing the public key of the SP | ||
114 | |||
115 | onelogin.saml2.sp.privatekey: the SP private key | ||
116 | |||
117 | onelogin.saml2.idp.x509cert: the certificate containing the IdP public key | ||
118 | |||
119 | __Extract from the SAMLv2 security file overloading the properties concerning public / private keys__ | ||
120 | |||
121 | (% class="box" %) | ||
122 | ((( | ||
123 | ... | ||
124 | \\# Service Provider Data that DigDash deploys | ||
125 | \\onelogin.saml2.sp.x509cert = ~-~-~-~--BEGIN CERTIFICATE~-~-~-~--XXXXXXX~-~-~-~--END CERTIFICATE~-~-~-~-- | ||
126 | onelogin.saml2.sp.privatekey = ~-~-~-~--BEGIN PRIVATE KEY~-~-~-~--YYYYYYY~-~-~-~--END PRIVATE KEY~-~-~-~-- | ||
127 | \\\\# Identity Provider Data used to connect with DigDash (SP) | ||
128 | \\onelogin.saml2.idp.x509cert = ~-~-~-~--BEGIN CERTIFICATE~-~-~-~--ZZZZZZZ~-~-~-~--END CERTIFICATE~-~-~-~-- | ||
129 | \\... | ||
130 | ))) | ||
131 | |||
132 |