IDP Initialized SSO, how to configure when dont have the pwd for PrivateKey

0
votes

I am using spring-security saml extension to implement the IDP initiated SSO for my application. I am using https protocol and signature/encryption is ON. I dont need SLO/SP-Initiated SSO.

On the transport layer's encryption/decryption (because using HTTPS protocol), I am fine as My web container (SP one) is going to take care of the decryption part. And this certificate could be different then SP's certifiate.

At the SP end, I need the IDP's public key to verify the signature on SAMLAuthResponse Msg, which I have as part of the IDP's metadata file...so no issues here.

Couple of qns:

  1. For decryption of the SAMLAuthResponse Msg, Do I need SP's certificate's private key?
  2. And If I need the private key, how to create the bean definition for keyManager when I have the jks file, jks-pwd, alias, but no pwd for privatekey? Can I pass the empty string (as "") in the password field in the alias-password value pair.
1
single-sign-onsaml-2.0spring-saml

1 Answers

0
votes

You can skip usage of private key in this case. You can find detail on how to use Spring SAML without keystore in the manual chapter 8.1:

In case your application doesn't need to create digital signatures and/or decrypt incoming messages, it is possible to use an empty implementation of the keystore which doesn't require any JKS file - org.springframework.security.saml.key.EmptyKeyManager. This can be the case for example when using only IDP-Initialized single sign-on. Please note that when using the EmptyKeyManager some of Spring SAML features will be unavailable. This includes at least SP-initialized Single Sign-on, Single Logout, usage of additional keys in ExtendedMetadata and verification of metadata signatures. Use the following bean in order to initialize the EmptyKeyManager:

<bean id="keyManager" class="org.springframework.security.saml.key.EmptyKeyManager"/>