SAMLv2 Authentication – Configuration
As part of the implementation of the SAMLv2 authentication method, this document describes how to configure enhanced security through signature and encryption of SAMLv2 exchanges.
Prerequisites
In this document, the following terms are used:
- IdP: Identity Provider
- SP: Service Provider
- Kpr(SP): the SP’s private key
- Kpb(SP): the SP’s public key
- Kpr(IdP): the IdP’s private key
- Kpb(IdP): the IdP’s public key
You must have the following to hand:
- the SP’s private key
- the SP’s public key
- the IdP’s public key
- OpenSSL: a tool for handling objects used in secure connections (x509 certificates, signatures, encryption, etc.). In particular, it allows certificates to be formatted.
Principles
The parties and tools required to set up secure SAMLv2 communication (encrypted and/or signed) can be summarised as follows:
Service Provider (SP) | Communication | (Identity Provider, IdP) |
| Encrypts data with Kpb(IdP) | >>>>> The SP sends the encrypted and/or signed authentication request to the IdP | Decrypts the data using Kpr(IdP) |
| Signs the data using Kpr(SP) | Validates the signature using Kpb(SP) | |
| Decrypts the data using Kpr(SP) | <<<<< The IdP sends the encrypted and/or signed SAMLv2 response to the SP | Encrypts the data with Kpb(SP) |
| Validates the signature using Kpb(IdP) | Signs the data with Kpr(IdP) |
Principle: encryption and signing of data exchanged between the SP and the IdP
The SP must therefore be aware of:
- the SP’s private key
- the SP’s public key
- the IdP’s public key
Private key formatting
OneLogin requires the PKCS#8 format for private keys (the key content must begin with ‘BEGIN PRIVATE KEY’).
If you have a private key in PKCS#1 format (the key’s content begins with ‘BEGIN RSA PRIVATE KEY’), reformat it by generating a new private key in the correct format using the command:
Retrieving keys as character strings
OneLogin provides online tools to retrieve keys as a string without losing the format.
Public key
You can use the tool available via the following link to retrieve the string corresponding to a public key :
https://developers.onelogin.com/saml/online-tools/x509-certs/format-x509-certificate
We want to retrieve the public key in the following format (WITH headers and WITHOUT line breaks):
-----BEGIN CERTIFICATE-----XXXXXXX-----END CERTIFICATE-----
where XXXXXXX is the content of the ‘X.509 cert in string format’ section

OneLogin online tool: formatting an X.509 certificate containing a public key
Private key
You can use the tool available via the following link to retrieve the character string corresponding to a private key:
https://developers.onelogin.com/saml/online-tools/x509-certs/format-private-key
We want to retrieve the private key in the following format (WITH headers and WITHOUT line breaks):
-----BEGIN PRIVATE KEY-----YYYYYYY-----END PRIVATE KEY-----
where YYYYYYY is the content of the ‘Private Key in string format’ section

OneLogin online tool: formatting a private key
Overriding properties in the security file
In the SAMLv2 security file (saml.sec.properties), uncomment or add the following properties:
- onelogin.saml2.sp.x509cert: the certificate containing the SP’s public key
- onelogin.saml2.sp.privatekey: the SP’s private key
- onelogin.saml2.idp.x509cert: the certificate containing the IdP’s public key
Extract from the SAMLv2 security file overriding the properties relating to public/private keys
onelogin.saml2.sp.privatekey = -----BEGIN PRIVATE KEY-----YYYYYYY-----END PRIVATE KEY-----
onelogin.saml2.idp.x509cert = -----BEGIN CERTIFICATE-----ZZZZZZZ-----END CERTIFICATE-----