Explanation of apigee-sso SAML service provider certificate

paulmooney
Participant II

Hello,

I am looking for understanding of the apigee-sso SSO_SAML_SERVICE_PROVIDER_CERTIFICATE which is created and configured during apigee-sso install.

What is this certficate's purpose? Out of the box apigee-sso is not TLS enabled. Is this certificate a placeholder for if we decide to enable apigee-sso for HTTPS access?

Any context that can be given to the purpose of this certificate when apigeee-sso is not configured for HTTPS access is appreciated.

Thanks!

1 4 784
4 REPLIES 4

In SAML, the assertions (tokens?) generated and sent by service provider and identity provider can be, and should be, signed.

I believe the cert is used by the Apigee SSO acting as "SAML Service Provider" to allow the receiver (IdP) to verify signatures that the SP has generated for its assertions and tokens. This purpose is independent of TLS.

I think the documentation needs to be updated to clarify this.

From your reply, my understanding then is:

SSO_SAML_SERVICE_PROVIDER_CERTIFICATE is used by apigee-sso to create the SAML assertion and tokens.

Then the assertions and tokens are signed or verified by the keys described at

SSO_JWT_SIGNINIG_KEY_FILEPATH
SSO_JWT_VERIFICATION_KEY_FILEPATH

Hi, does SAML service provider key and cert supports CA signed certs in Apigee ?

inankanbur
Participant I

Hi,

As far as I understand, SSO_SAML_SERVICE_PROVIDER_KEY and SSO_SAML_SERVICE_PROVIDER_CERTIFICATE are used when IdP is talking SAML. In that case, the metadata is available at http(s)://ssohost:ssoport/saml/metadata. IdP can download the provider certificate from there to verify authentication requests signed with the provider key.


In case IdP is talking JWT, then it's SSO_JWT_SIGNINIG_KEY_FILEPATH and SSO_JWT_VERIFICATION_KEY_FILEPATH, which are in use. And the metadata (JWK) is available at http(s)://ssohost:ssoport/token_key for IdP to download the verification key in order to verify JWT assertions signed with the signing key.


Key and cert references can later on be changed using the $APIGEE_HOME/customer/application/sso.properties. The tokens (properties) to be edited to change SAML signing key and cert are conf_login_service_provider_key & conf_login_service_provider_certificate, whereas JWT ones are conf_uaa_signing-key & conf_uaa_verification-key.

Likewise, to update the SSO server's TLS setup, one can edit the following tokens in the sso.properties file:

  • conf_server_tomcat_ssl_enabled
  • conf_server_tomcat_secure
  • conf_server_tomcat_scheme
  • conf_server_tomcat_keystore_file
  • conf_server_tomcat_keyalias
  • conf_server_tomcat_keystore_password
  • conf_server_tomcat_listen_port
  • conf_sso2_url