SAML 2.0 Authentication type requires some configuration steps regarding the creation of certificates and the setup of the servlet's server in same cases (using Java generator). This document explains in detail the steps that should be considered.
This is useful in completing the Credentials tab information of SAML 2.0 Authentication type configuration.
First, note that, for testing purposes, you will not need a valid CA certificate. A self-signed certificate will do.
openssl req -newkey rsa:2048 -keyout key.pem -x509 -days 365 -out certificate.pem
As a result, you'll have key.pem containg the private key, and certificate.pem containing the public key.
For Agesic, you have to change the format of the file containing the public key, and turn it into a .crt file (the certificate to be sent to Agesic):
openssl x509 -outform der -in certificate.pem -out certificate.crt
For Agesic, the certificate used to sign the request (of the Service Provider to the Identity Provider) should have the following characteristics:
- 2048 key length
- SHA256 algorithm
- No flags
You will need to change the format of the file containing the private key and turn it into a .pfx file, in order to have it referenced in the Key Store Path property of the Request Credentials section of SAML 2.0 Authentication type configuration. Use the same password used to define the certificate in the step described above.
openssl pkcs12 -export -in certificate.pem -inkey key.pem -out certificate.pkcs12
For configuring the Response Credentials section of SAML 2.0 Authentication type, bear in mind that you must create a Keystore using the Agesic-Coesys-Testing.cer file provided by Agesic.
cd c:\Program Files\Java\jdk1.8.0_20\jre\bin
keytool -importcert -trustcacerts -noprompt -storepass changeit -alias 1 -file c:\temp\Agesic-Coesys-Testing.cer
openssl pkcs12 -export -in certificate.pem -inkey key.pem > server.p12
keytool -importkeystore -srckeystore C:\temp\server.p12 -destkeystore server.jks -srcstoretype pkcs12
As a result, you'll have a .pks file that must be referenced under the Trust Store Path property of the Response Credentials configuration.
You can use openssl to generate a pair of keys as explained above.
For the Request credentials, take a look at the section request credentials in this document, for it must be considered for both SAP and Agesic.
You must convert the certificate provided by SAP to read the response into X509 format. To such end, you may use samlTool.
Then save the result to a .pem file.
Afterwards, execute the following:
cd C:\Program Files\Java\jdk1.8.0_162\bin
keytool -import -file C:\cert\sapkey.pem -keystore C:\cert\sapkeystore.jks
You may generate a new alias by executing:
In .NET you can not use a Java KeyStore.
Certificates and encodings