Versions Compared

Old Version 23

changes.mady.by.user Stefan Halen

Saved on

compared with

New Version 24

changes.mady.by.user Stefan Halen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For example, in Base64 encoding, the character '+' is used, while in Base64url encoding, it's replaced with '-'. Similarly, '/' in Base64 is replaced with '_'. Be sure to use Base64url encoding when working with JWS components.

Implementation Steps

Create

...

a Signing Key

To begin, you'll need to create a signing key and certificate that will be used when signing the JWS. It's highly recommended to generate a self-signed certificate for this purpose. Self-signed certificates offer the advantage of flexibility in setting their expiration period, which can be chosen for a more extended duration, often measured in years.

he certificate must be published in the entity's SAML metadata (as explained in the section Create SAML Metadata). When you publish the entity's SAML metadata in the federation metadata, the federation signs the metadata aggregate, attesting to the authenticity of organizations that publish their metadata and, by extension, the JWS signing certificate.

The self-signed certificate's primary function, when validating the JWS signature, is to provide the public key. It's important to note that other attributes of the certificate, such as the Common Name (CN) and Subject Alternative Names (SANs), will not be used or validated during the JWS signature verification process. This underscores why obtaining a certificate from a Certificate Authority (CA) with extensive CN and SAN validations is unnecessary for this specific use case. A self-signed certificate suffices for providing the required public key, streamlining the process without the need for additional, CA-validated attributes. Moreover, the flexibility to set a longer expiration time for self-signed certificates reduces the administrative burden of frequent certificate renewals while ensuring the security of the JWS signature.

Here are the commands to create the signing key and certificate using OpenSSL:

Generate the EC private key:

Code Block
languagebash
openssl ecparam -genkey -name prime256v1 -noout -out ec-key.pem


Create a self-signed certificate with a long validity period:

Code Block
languagebash
openssl req -new -x509 -key ec-key.pem -out cert.pem -outform pem -days 36500 -subj '/CN=grie-signing-cert'

Create the JSON Web Signature (JWS)

Create the JSON Web Signature (JWS) following the specified format and content, using the general JWS JSON Serialization

Ensure that the SAML metadata includes the GroupRepresentative element within the `<Extensions>` section of the SAML entity's `<IDPSSODescriptor>`. This element must contain a URL pointing to a JWS conforming to the specification, and it must also include the certificate used for the JWS signature validation.

Example GroupRepresentative element in SAML metadata:

Code Block
languagexml
titleSAML metadata
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://idp1.example.com">
  <IDPSSODescriptor>
    <Extensions>
      <grie:GroupRepresentative xmlns:grie="http://saml-schema.swefed.se/schema/grie" location="https://www.example.com/mdie.jws">
        <md:KeyDescriptor use="signing">
          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
              <ds:X509Certificate>(Your certificate content here)</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
      </grie:GroupRepresentative>
    </Extensions>
  </IDPSSODescriptor>
</EntityDescriptor>

Create the JSON Web Signature (JWS)

Create the JSON Web Signature (JWS) following the specified format and content, using the general JWS JSON Serialization syntax. Make sure to include the necessary claims, such as iss, exp, iat, version, cache_ttl, and entities, as outlined in the specification.

...

Publish the JWS, at the URL specified in the GroupRepresentative element within the SAML metadata. Make sure this URL is accessible to entities within the federation.

Anchor
saml_md
saml_md

Create SAML Metadata

Ensure that the SAML metadata includes the GroupRepresentative element within the `<Extensions>` section of the SAML entity's `<IDPSSODescriptor>`. This element must contain a URL pointing to a JWS conforming to the specification, and it must also include the certificate used for the JWS signature validation.


Example GroupRepresentative element in SAML metadata:

Code Block
languagexml
titleSAML metadata
<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://idp1.example.com">
  <IDPSSODescriptor>
    <Extensions>
      <grie:GroupRepresentative xmlns:grie="http://saml-schema.swefed.se/schema/grie" location="https://www.example.com/mdie.jws">
        <md:KeyDescriptor use="signing">
          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
              <ds:X509Certificate>(Your certificate content here)</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
        </md:KeyDescriptor>
      </grie:GroupRepresentative>
    </Extensions>
  </IDPSSODescriptor>
</EntityDescriptor>

Validate and Interpret Metadata

...