Notifications

76 views

Description

Description

Describe how to setup a Signing Keystore for Encryption and Signing for a SAML SSO Identity Provider.

Procedure

The keystore for SAML Encryption and Signing is discussed here: 

https://docs.servicenow.com/bundle/madrid-platform-administration/page/integrate/single-sign-on/task/t_CreateASAML2Upd1SSOConfigMultiSSO.html 

Under: 

4. (Optional) Encryption And Signing tab 

There are two out of the box keystores provided to do this, go to "x509 Certificate" in the UI and find these: 

1. SAML 2.0 SP Keystore 
2. SAML 2.0 Keystore_Key2048_SHA256 

The "SAML 2.0 SP Keystore" provides 128-bit support 
The "SAML 2.0 Keystore_Key2048_SHA256" provides 256-bit support 

(A) To use the "SAML 2.0 SP Keystore" configure the Identity Provider record as follows in the "Encryption and Signing" section: 

Signing/Encryption Key Alias = saml2sp 
Signing/Encryption Key Password = saml2sp 
Signing Signature Algorithm = http://www.w3.org/2000/09/xmldsig#rsa-sha1 

Select the appropriate check boxes for what you want to encrypt: 
Encrypt Assertion 
Sign AuthnRequest 
Sign LogoutRequest 

(B) To use the "SAML 2.0 Keystore_Key2048_SHA256" 

To use this 256 bit key you will also need to do the following: 

From the x509 Certificate list view: 

Set "SAML 2.0 SP Keystore" Active = false 
Set "SAML 2.0 Keystore_Key2048_SHA256" Active = true 

Set system property: 
glide.authenticate.sso.saml2.keystore Value = <the sys_id of the "SAML 2.0 Keystore_Key2048_SHA256" record's sys_id in the sys_certificate table> 

Then configure the Identity Provider record as follows in the "Encryption and Signing" section: 

Signing/Encryption Key Alias = saml2sp 
Signing/Encryption Key Password = saml2sp 
Signing Signature Algorithm = http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 

Select the appropriate check boxes for what you want to encrypt: 
Encrypt Assertion 
Sign AuthnRequest 
Sign LogoutRequest 

(C) After the IdP record has been updated as above using either keystore, to get the signing certificate into your IdP select the "Generate Metadata" button from the IdP record and the signing certificate will be seen there in the X509Certificate XML tag, e.g.: 

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://empncosmidis3.service-now.com"> 
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
<KeyDescriptor use="signing" > 
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDoTCCAomgAwIBAgIERs1yFjANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMxCzAJBgNV 
BAgTAkNBMRQwEgYDVQQHEwtTYW50YSBDbGFyYTETMBEGA1UEChMKU2VydmljZU5vdzEdMBsGA1UE 
CxMUUGxhdGZvcm0gRGV2ZWxvcG1lbnQxGjAYBgNVBAMTEVBsYXRmb3JtIFNlY3VyaXR5MB4XDTE2 
MDMwOTIyNTYyMVoXDTI2MDMwNzIyNTYyMVowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEU 
MBIGA1UEBxMLU2FudGEgQ2xhcmExEzARBgNVBAoTClNlcnZpY2VOb3cxHTAbBgNVBAsTFFBsYXRm 
b3JtIERldmVsb3BtZW50MRowGAYDVQQDExFQbGF0Zm9ybSBTZWN1cml0eTCCASIwDQYJKoZIhvcN 
AQEBBQADggEPADCCAQoCggEBAMdREVxdscrxy9ap/UnDsdihJjoKxY6qpxvLUHUGKjTsSNNu/6Fd 
hh4y5hkYLklY0vEdXStqwvqJjqiCn1LPPo/WjWBAv1kVZXiA0pbaxRaX0wtQ2zo4ddIpCc6/UFOZ 
QxPTk+974KPKiA9wDa9/mSqfLfzPmDrSPGLvbiQACTHozLTXxMv+z7pJg77muWIHet5pdrUThF9w 
8iANYTRie+dl+LxEyF5U5tdQXlFgRo5qBQQvSDVL+FbjiX+XllNLwP2RX7IwZChxi6B8dgkAuXTX 
dII309L9NXy3E8pefhAJgSe5FnkGaQk/HlqOBtgKdp9/Rf5Uy6fz0ZJmEqKzM+8CAwEAAaMhMB8w 
HQYDVR0OBBYEFNF7CaQY7kZQM5ulSV8bOAl2mgdNMA0GCSqGSIb3DQEBCwUAA4IBAQC+f3HXbp/2 
IaF/bmUICCkVragGpX4IslJPxjdShUA7qwIZ8YNZZHT9R8bRrcOIRy83fKiXDmlWYSgiuA3cckH4 
WSvwCHOCSi0H72/L9QRjqcrlzpzoCFP1v57tzGOPyAsRr/kU7v01g6bCKlnXPhXpX6EA5m0h37vQ 
rV++9aXSiThRbatOkRVow4NohbkVZA8zhn6kxSI3nwM1xRO30dtb8iQGo/2/J9d2pzLKnvC3pFVF 
W7GRabHJ8Zv5k/9f45/9F8l/9+v8g+OaqEdQuAdymHbeFQ732vd/4MuJWHylQGcyQz7ytJUqr7j4 
epX6Li/sQdXGaLxLM+rEKFMY7uB/</ds:X509Certificate></ds:X509Data></ds:KeyInfo> 
</KeyDescriptor> 
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://empncosmidis3.service-now.com/navpage.do"/> 
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> 
<AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://empncosmidis3.service-now.com/navpage.do" /> 
<AssertionConsumerService isDefault="false" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://empncosmidis3.service-now.com/consumer.do" /> 
</SPSSODescriptor> 
</EntityDescriptor> 

To format this as a PEM certificate (as may be required by the IdP) encapsulate the <ds:X509Certificate> value with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags as in this example: 

-----BEGIN CERTIFICATE----- 
MIIDoTCCAomgAwIBAgIERs1yFjANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMxCzAJBgNV 
BAgTAkNBMRQwEgYDVQQHEwtTYW50YSBDbGFyYTETMBEGA1UEChMKU2VydmljZU5vdzEdMBsGA1UE 
CxMUUGxhdGZvcm0gRGV2ZWxvcG1lbnQxGjAYBgNVBAMTEVBsYXRmb3JtIFNlY3VyaXR5MB4XDTE2 
MDMwOTIyNTYyMVoXDTI2MDMwNzIyNTYyMVowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEU 
MBIGA1UEBxMLU2FudGEgQ2xhcmExEzARBgNVBAoTClNlcnZpY2VOb3cxHTAbBgNVBAsTFFBsYXRm 
b3JtIERldmVsb3BtZW50MRowGAYDVQQDExFQbGF0Zm9ybSBTZWN1cml0eTCCASIwDQYJKoZIhvcN 
AQEBBQADggEPADCCAQoCggEBAMdREVxdscrxy9ap/UnDsdihJjoKxY6qpxvLUHUGKjTsSNNu/6Fd 
hh4y5hkYLklY0vEdXStqwvqJjqiCn1LPPo/WjWBAv1kVZXiA0pbaxRaX0wtQ2zo4ddIpCc6/UFOZ 
QxPTk+974KPKiA9wDa9/mSqfLfzPmDrSPGLvbiQACTHozLTXxMv+z7pJg77muWIHet5pdrUThF9w 
8iANYTRie+dl+LxEyF5U5tdQXlFgRo5qBQQvSDVL+FbjiX+XllNLwP2RX7IwZChxi6B8dgkAuXTX 
dII309L9NXy3E8pefhAJgSe5FnkGaQk/HlqOBtgKdp9/Rf5Uy6fz0ZJmEqKzM+8CAwEAAaMhMB8w 
HQYDVR0OBBYEFNF7CaQY7kZQM5ulSV8bOAl2mgdNMA0GCSqGSIb3DQEBCwUAA4IBAQC+f3HXbp/2 
IaF/bmUICCkVragGpX4IslJPxjdShUA7qwIZ8YNZZHT9R8bRrcOIRy83fKiXDmlWYSgiuA3cckH4 
WSvwCHOCSi0H72/L9QRjqcrlzpzoCFP1v57tzGOPyAsRr/kU7v01g6bCKlnXPhXpX6EA5m0h37vQ 
rV++9aXSiThRbatOkRVow4NohbkVZA8zhn6kxSI3nwM1xRO30dtb8iQGo/2/J9d2pzLKnvC3pFVF 
W7GRabHJ8Zv5k/9f45/9F8l/9+v8g+OaqEdQuAdymHbeFQ732vd/4MuJWHylQGcyQz7ytJUqr7j4 
epX6Li/sQdXGaLxLM+rEKFMY7uB/ 
-----END CERTIFICATE----- 

(D) Note that you also have the option to create your own keystore and not use the out of the box versions, see: 

https://docs.servicenow.com/bundle/madrid-platform-administration/page/integrate/saml/task/t_CreatingAServiceProviderKeyStore.html 
and 
https://docs.servicenow.com/bundle/madrid-platform-administration/page/integrate/saml/task/t_InstallASPKeystoreSigningSAMLReqs.html 


Applicable Versions

All versions

Article Information

Last Updated:2020-01-23 13:43:23
Published:2020-01-23