SAMLv2 Authentication – Configuration

Last modified by Aurelie Bertrand on 2026/07/02 14:22


As part of the implementation of the SAMLv2 authentication method, this document describes how to configure enhanced security through signature and encryption of SAMLv2 exchanges.

Prerequisites

In this document, the following terms are used:

  • IdP: Identity Provider
  • SP: Service Provider
  • Kpr(SP): the SP’s private key
  • Kpb(SP): the SP’s public key
  • Kpr(IdP): the IdP’s private key
  • Kpb(IdP): the IdP’s public key

You must have the following to hand:

  • the SP’s private key
  • the SP’s public key
  • the IdP’s public key
  • OpenSSL: a tool for handling objects used in secure connections (x509 certificates, signatures, encryption, etc.). In particular, it allows certificates to be formatted.

Important: 
If both parties (SP and IdP) are expected to sign their data,
- particular care must be taken to ensure that the certificates containing the exchanged public keys are certified by a certification authority (CA-signed certificate).
- in the case of self-signed certificates, it will be necessary to check whether these are supported by both parties.

Principles

The parties and tools required to set up secure SAMLv2 communication (encrypted and/or signed) can be summarised as follows:


Service Provider (SP)
Communication
(Identity Provider, IdP)
Encrypts data with Kpb(IdP)

>>>>>

The SP sends the encrypted and/or signed authentication request to the IdP

Decrypts the data using Kpr(IdP)
Signs the data using Kpr(SP)Validates the signature using Kpb(SP)
Decrypts the data using Kpr(SP)

<<<<<

The IdP sends the encrypted and/or signed SAMLv2 response to the SP

Encrypts the data with Kpb(SP)
Validates the signature using Kpb(IdP)Signs the data with Kpr(IdP)

Principle: encryption and signing of data exchanged between the SP and the IdP

The SP must therefore be aware of:

  • the SP’s private key
  • the SP’s public key
  • the IdP’s public key

Private key formatting

OneLogin requires the PKCS#8 format for private keys (the key content must begin with ‘BEGIN PRIVATE KEY’).

If you have a private key in PKCS#1 format (the key’s content begins with ‘BEGIN RSA PRIVATE KEY’), reformat it by generating a new private key in the correct format using the command:

openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem

Retrieving keys as character strings

OneLogin provides online tools to retrieve keys as a string without losing the format.

Public key

You can use the tool available via the following link to retrieve the string corresponding to a public key :

https://developers.onelogin.com/saml/online-tools/x509-certs/format-x509-certificate

We want to retrieve the public key in the following format (WITH headers and WITHOUT line breaks):

-----BEGIN CERTIFICATE-----XXXXXXX-----END CERTIFICATE-----

where XXXXXXX is the content of the ‘X.509 cert in string format’ section

saml2_1.png

OneLogin online tool: formatting an X.509 certificate containing a public key

Private key

You can use the tool available via the following link to retrieve the character string corresponding to a private key:

https://developers.onelogin.com/saml/online-tools/x509-certs/format-private-key

We want to retrieve the private key in the following format (WITH headers and WITHOUT line breaks):

-----BEGIN PRIVATE KEY-----YYYYYYY-----END PRIVATE KEY-----

where YYYYYYY is the content of the ‘Private Key in string format’ section

saml2_2.png

OneLogin online tool: formatting a private key

Overriding properties in the security file

In the SAMLv2 security file (saml.sec.properties), uncomment or add the following properties:

  • onelogin.saml2.sp.x509cert: the certificate containing the SP’s public key
  • onelogin.saml2.sp.privatekey: the SP’s private key
  • onelogin.saml2.idp.x509cert: the certificate containing the IdP’s public key

Extract from the SAMLv2 security file overriding the properties relating to public/private keys

onelogin.saml2.sp.x509cert = -----BEGIN CERTIFICATE-----XXXXXXX-----END CERTIFICATE-----
onelogin.saml2.sp.privatekey = -----BEGIN PRIVATE KEY-----YYYYYYY-----END PRIVATE KEY-----

onelogin.saml2.idp.x509cert = -----BEGIN CERTIFICATE-----ZZZZZZZ-----END CERTIFICATE-----