Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
Setup of Signing Keystore for Encryption and Signing for a SAML SSO Identity Provider (with Washington Releases updates) - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • Setup of Signing Keystore for Encryption and Signing for a SAML SSO Identity Provider (with Washington Releases updates)
KB0753604

Setup of Signing Keystore for Encryption and Signing for a SAML SSO Identity Provider (with Washington Releases updates)


11582 Views Last updated : Feb 29, 2024 public Copy Permalink English (Original)
  • English (Original)
  • Japanese
KB Summary by Now Assist

Issue

Describe how to set up a Signing Keystore for Encryption and Signing for a SAML SSO Identity Provider.

The keystore for SAML Encryption and Signing is discussed here: SAML 2.0 configuration using Multi-Provider SSO, under section 4. (Optional) Encryption And Signing tab.

There are two out of the box keystores provided to do this, go to "x509 Certificate" in the UI and find these:

  1. (Deprecated Keystore)SAML 2.0 SP Keystore: provides 128-bit support
    • To use the "SAML 2.0 SP Keystore" configure the Identity Provider record as follows in the "Encryption and Signing" section:
      1. Signing/Encryption Key Alias = saml2sp
      2. Signing/Encryption Key Password = saml2sp
      3. Signing Signature Algorithm = http://www.w3.org/2000/09/xmldsig#rsa-sha1
        Select the appropriate checkboxes for what you want to encrypt:
        • Encrypt Assertion
        • Sign AuthnRequest
        • Sign LogoutRequest
  2. SAML 2.0 Keystore_Key2048_SHA256 or SAML 2.0 Keystore_Key2048_SHA256_FIPS: provides 256-bit support
    • To use this 256-bit key you will also need to do the following:
      1. From the x509 Certificate list view:
        • Set "SAML 2.0 SP Keystore" Active = false
        • Set "SAML 2.0 Keystore_Key2048_SHA256" Active = true Or Set "SAML 2.0 Keystore_Key2048_SHA256_FIPS" Active = true
        • Set system property: glide.authenticate.sso.saml2.keystore Value = <the sys_id of the "SAML 2.0 Keystore_Key2048_SHA256" record's sys_id in the sys_certificate table>(ootb sys_id value 3685fc22930212003c5537ae867ffb91) Or Set system property: glide.authenticate.sso.saml2.keystore Value = <the sys_id of the "SAML 2.0 Keystore_Key2048_SHA256_FIPS" record's sys_id in the sys_certificate table>(ootb sys_id value c60ad24b732220103a5b0dd43cf6a7db)
      1. Configure the Identity Provider record as follows in the "Encryption and Signing" section:
        • Signing/Encryption Key Alias = saml2sp
        • Signing/Encryption Key Password = saml2sp
        • Signing Signature Algorithm = http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
          Select the appropriate checkboxes for what you want to encrypt:
          • Encrypt Assertion
          • Sign AuthnRequest
          • Sign LogoutRequest 
      2. After the IdP record has been updated as above using either keystore, to get the signing certificate into your IdP select the "Generate Metadata" button from the IdP record and the signing certificate will be seen there in the X509Certificate XML tag, e.g.: 
        <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://<instance-name>.service-now.com"> 
        <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing" >
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDoTCCAomgAwIBAgIERs1yFjANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMxCzAJBgNV
        BAgTAkNBMRQwEgYDVQQHEwtTYW50YSBDbGFyYTETMBEGA1UEChMKU2VydmljZU5vdzEdMBsGA1UE
        CxMUUGxhdGZvcm0gRGV2ZWxvcG1lbnQxGjAYBgNVBAMTEVBsYXRmb3JtIFNlY3VyaXR5MB4XDTE2
        MDMwOTIyNTYyMVoXDTI2MDMwNzIyNTYyMVowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEU
        MBIGA1UEBxMLU2FudGEgQ2xhcmExEzARBgNVBAoTClNlcnZpY2VOb3cxHTAbBgNVBAsTFFBsYXRm
        b3JtIERldmVsb3BtZW50MRowGAYDVQQDExFQbGF0Zm9ybSBTZWN1cml0eTCCASIwDQYJKoZIhvcN
        AQEBBQADggEPADCCAQoCggEBAMdREVxdscrxy9ap/UnDsdihJjoKxY6qpxvLUHUGKjTsSNNu/6Fd
        hh4y5hkYLklY0vEdXStqwvqJjqiCn1LPPo/WjWBAv1kVZXiA0pbaxRaX0wtQ2zo4ddIpCc6/UFOZ
        QxPTk+974KPKiA9wDa9/mSqfLfzPmDrSPGLvbiQACTHozLTXxMv+z7pJg77muWIHet5pdrUThF9w
        8iANYTRie+dl+LxEyF5U5tdQXlFgRo5qBQQvSDVL+FbjiX+XllNLwP2RX7IwZChxi6B8dgkAuXTX
        dII309L9NXy3E8pefhAJgSe5FnkGaQk/HlqOBtgKdp9/Rf5Uy6fz0ZJmEqKzM+8CAwEAAaMhMB8w
        HQYDVR0OBBYEFNF7CaQY7kZQM5ulSV8bOAl2mgdNMA0GCSqGSIb3DQEBCwUAA4IBAQC+f3HXbp/2
        IaF/bmUICCkVragGpX4IslJPxjdShUA7qwIZ8YNZZHT9R8bRrcOIRy83fKiXDmlWYSgiuA3cckH4
        WSvwCHOCSi0H72/L9QRjqcrlzpzoCFP1v57tzGOPyAsRr/kU7v01g6bCKlnXPhXpX6EA5m0h37vQ
        rV++9aXSiThRbatOkRVow4NohbkVZA8zhn6kxSI3nwM1xRO30dtb8iQGo/2/J9d2pzLKnvC3pFVF
        W7GRabHJ8Zv5k/9f45/9F8l/9+v8g+OaqEdQuAdymHbeFQ732vd/4MuJWHylQGcyQz7ytJUqr7j4
        epX6Li/sQdXGaLxLM+rEKFMY7uB/</ds:X509Certificate></ds:X509Data></ds:KeyInfo>
        </KeyDescriptor>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://<instance-name>.service-now.com/navpage.do"/> 
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
        <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<instance-name>.service-now.com/navpage.do" />
        <AssertionConsumerService isDefault="false" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<instance-name>.service-now.com/consumer.do" />
        </SPSSODescriptor>
        </EntityDescriptor>
        To format this as a PEM certificate (as may be required by the IdP) encapsulate the <ds:X509Certificate> value with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags as in this example:
        -----BEGIN CERTIFICATE----- 
        MIIDoTCCAomgAwIBAgIERs1yFjANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMxCzAJBgNV
        BAgTAkNBMRQwEgYDVQQHEwtTYW50YSBDbGFyYTETMBEGA1UEChMKU2VydmljZU5vdzEdMBsGA1UE
        CxMUUGxhdGZvcm0gRGV2ZWxvcG1lbnQxGjAYBgNVBAMTEVBsYXRmb3JtIFNlY3VyaXR5MB4XDTE2
        MDMwOTIyNTYyMVoXDTI2MDMwNzIyNTYyMVowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEU
        MBIGA1UEBxMLU2FudGEgQ2xhcmExEzARBgNVBAoTClNlcnZpY2VOb3cxHTAbBgNVBAsTFFBsYXRm
        b3JtIERldmVsb3BtZW50MRowGAYDVQQDExFQbGF0Zm9ybSBTZWN1cml0eTCCASIwDQYJKoZIhvcN
        AQEBBQADggEPADCCAQoCggEBAMdREVxdscrxy9ap/UnDsdihJjoKxY6qpxvLUHUGKjTsSNNu/6Fd
        hh4y5hkYLklY0vEdXStqwvqJjqiCn1LPPo/WjWBAv1kVZXiA0pbaxRaX0wtQ2zo4ddIpCc6/UFOZ
        QxPTk+974KPKiA9wDa9/mSqfLfzPmDrSPGLvbiQACTHozLTXxMv+z7pJg77muWIHet5pdrUThF9w
        8iANYTRie+dl+LxEyF5U5tdQXlFgRo5qBQQvSDVL+FbjiX+XllNLwP2RX7IwZChxi6B8dgkAuXTX
        dII309L9NXy3E8pefhAJgSe5FnkGaQk/HlqOBtgKdp9/Rf5Uy6fz0ZJmEqKzM+8CAwEAAaMhMB8w
        HQYDVR0OBBYEFNF7CaQY7kZQM5ulSV8bOAl2mgdNMA0GCSqGSIb3DQEBCwUAA4IBAQC+f3HXbp/2
        IaF/bmUICCkVragGpX4IslJPxjdShUA7qwIZ8YNZZHT9R8bRrcOIRy83fKiXDmlWYSgiuA3cckH4
        WSvwCHOCSi0H72/L9QRjqcrlzpzoCFP1v57tzGOPyAsRr/kU7v01g6bCKlnXPhXpX6EA5m0h37vQ
        rV++9aXSiThRbatOkRVow4NohbkVZA8zhn6kxSI3nwM1xRO30dtb8iQGo/2/J9d2pzLKnvC3pFVF
        W7GRabHJ8Zv5k/9f45/9F8l/9+v8g+OaqEdQuAdymHbeFQ732vd/4MuJWHylQGcyQz7ytJUqr7j4
        epX6Li/sQdXGaLxLM+rEKFMY7uB/
        -----END CERTIFICATE-----
      3. Note that you also have the option to create your own keystore and not use the out of the box versions, see: 
        • Create a service provider keystore for SAML
        • Install a service provider keystore for signing SAML requests 
  • Washington Release Changes:
    • A new system property is introduced "glide.authenticate.sso.saml2.encryption.keystore" and coexists with the "glide.authenticate.sso.saml2.keystore".

    • A new keystore is provided "SAML 2.0 Keystore_Key2048_SHA256_Encryption". 

 

      • Signing/Encryption Key Alias = saml2sp
      • Signing/Encryption Key Password = saml2sp
      • Signing Signature Algorithm = http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    • "glide.authenticate.sso.saml2.keystore" is not replaced by "glide.authenticate.sso.saml2.encryption.keystore". 
    • Pre Washington, Signing and Encryption use the same certificate specified in glide.authenticate.sso.saml2.keystore. 
    • Post Washington upgrade, glide.authenticate.sso.saml2.keystore is designed to contain the cert's sys_id for Signing while glide.authenticate.sso.saml2.encryption.keystore is designed to contain the cert's sys_id for Encryption.
    • By default, glide.authenticate.sso.saml2.encryption.keystore will contains the value of glide.authenticate.sso.saml2.keystore post Washington upgrade. If customer has existing Encryption and Signing configurations via glide.authenticate.sso.saml2.keystore, during the upgrade, glide.authenticate.sso.saml2.encryption.keystore copies the value inside glide.authenticate.sso.saml2.keystore. This will ensure the existing feature works consistently post upgrade as well.
    • Post Washington upgrade, customer can specify different certificates for Signing and Encryption inside glide.authenticate.sso.saml2.keystore(Signing) and glide.authenticate.sso.saml2.encryption.keystore(Encryption) and follow the above steps to configure each system property and upload the certificates to the IDP.

Remember also to be sure that these system properties are set correctly:

  • Property name: glide.authenticate.sso.saml2.keystore 

Pre Washington

    • Value = <the sys_id of the X.509 Certificate that is being used for the Signing/Encryption from the sys_certificate table>

Post Washington

    • Value = <the sys_id of the X.509 Certificate that is being used for the Signing Only from the sys_certificate table>
  • Property name: glide.authenticate.sso.saml2.encryption.keystore 

New in Washington

    • Value = <the sys_id of the X.509 Certificate that is being used for the Encryption Only from the sys_certificate table>

The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.