How do you check or update a SSL key for a SP client in SAMLv2?

Setup
, , , ,
#1

I’m using ForgeRock 6.5.2.3 at work.
I have created a configuration for a client application, in SAMLv2.
So I have a circle of trust + hosted entity provider.
I did all of this a month ago.

Today they gave me a new version of their XML MetaData SP file. Inside of it there is the x509 block with their public key. Key that will be used to sign their XML exchanges with me : they are the SP, I am the IDP and I will check what they submit to me.

My problem is I have not been able to find how to check or update the key from within ForgeRock.

I start with the docs :

If I go into the circle of trust, I can see there is one. But it does not show nor list the SP ssl key.
I then tried to go into the entity provider for my SP.
There, I can see a current value “feduatsigncert”

I have absolutely no idea what this is. Is this my SSL key that ForgeRock will use to sign the XML we produce and send to the SP ? Or is this an alias to their public SSL key they will use to sign their XMLs so my IDP can check them ?

I went into Configure → Secret Stores → default keystore
In the mappings tabs there is NO entry for the SP client. In fact, there is NO entry for NONE of the existing SAMLv2 clients, and we got a nice bunch of those (well over 10).

Previously I was using Keycloak, and to check/see/export/upgrade the client application SP all I had to do was get into the client, select the “SAML Keys” tab and I can delete/import/export the key from either a .CER or .PEM File.

We have now moved to ForgeRock and… I am trying to find the same information.

For an existing SAMLv2 configuration, I want to see the current SSL key that is supposed to be the SP application key.

I want to be able to see it, or export it, so I can use a tool like the x509 cert decoder from sslshopper to analyze the cert, and check the expiration dates and if the domain of validity for the key is the proper one.

I want to be able to “update” that cert, or import the lastest one I have, so I am sure at 100 % that my IDP will use the proper OpenSSL key from the SP to check the signature of the XMLs they will send me.

I have checked the docs as much as I can but I have not found where the SAMLv2 publics keys from SP are stored. Nor how to export them, or upgrade them.

If someone can help.

#2

Hey @gilbert.fernandes.stime,

A couple quick comments before we get started:

  1. You should definitely look into upgrading to a newer version of AM, as 6.5 is no longer supported and the newest versions of AM continue to introduce a lot more fun things and make them all easier to use.
  2. The documentation you referenced is for 5.5, and there are some notable differences between 5.5 and 6.5 (although to be fair, I don’t think there are any which would change the answer to your inquiry)

So there are two main questions I see here:

  1. How do I update the signing certificate for a remote SP?
  2. How do I view the existing certificate for a remote SP?

To update the signing certificate for a remote SP there are two ways to go about this (that I can think of, perhaps others will offer up other methods). First, you can simply delete the existing SP configuration and import the new metadata containing the updated certificate. You’ll want to make sure you keep track of any attribute mappings that you have for the SP and reconfigure those once you’ve re-imported the metadata. The other approach would be to use Amster to export the existing configuration, modify the certificate information (you’d be looking for the KeyDescriptor element with a use of signing or if only one KeyDescriptor exists use that one, the X509Certificate element will be a couple of child nodes down from that), and then re-import the Amster entity.

To view the existing data, you also have two approaches (I’m sensing a common theme around the number 2). The easiest by far is to use the exportmetadata functionality in AM, where you can simply go to https://youramsite.com/openam/saml2/jsp/exportmetadata.jsp?entityid=yourentityid&realm=/yourrealm and copy the certificate out of the rendered metadata. The other approach would be to use Amster to export the metadata of the SP entity and then parse the certificate out from that. I don’t see a reason why you’d use the latter approach, but I’m putting it out there for you.

With regards to your exploration into Secret Stores, AM did not start using Secret Stores for SAML secret mappings until after 6.5 (with the exception of encrypting the local storage JWT for tracking SSO progress without sticky sessions, but that doesn’t apply here). Even then, the Secret Store mappings are for keys managed and used by AM (e.g. IDP assertion signing) and not the keys used by remote entities.

I hope this information is helpful to you, and I’m happy to answer any follow up questions you may have.

1 Like