How To
Archived

How do I use two different signing keys to sign SAML responses in OpenAM 11.x and 12.x?

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you want to use two different signing keys to sign SAML responses in OpenAM 11.x and 12.x, where the signing key to use is determined by the entity ID of the relying party. This can either be the IdP or SP.


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Using two different signing keys

Note

OpenAM 13.0 supports multiple signing keys. In pre-13.0 versions of OpenAM, you can work round this by creating a second IdP or SP that is identical to the first IdP or SP apart from the signing key and entity ID.

This example process sets up two different signing keys on the IdP side, with the SP as the relying party (but you can do it the other way round if applicable):

  1. Create a second IdP that is identical to the existing IdP, apart from having a different signing key and entity ID. This new IdP should be created in the same realm as the existing one.
  2. Add this second IdP to the same circle of trust as the existing IdP.
  3. Make the SP aware of the changed metadata. If OpenAM is also your SP, you can export the metadata from the new IdP and import it to the SP using the commands detailed in How do I export and import SAML2 metadata in AM (All versions)?

See Also

How do I renew expired certificates for a hosted IdP or SP in AM 5.x or 6.x?

How do I renew expired certificates for a remote IdP or SP in AM (All versions)?

How do I change the metaAlias for an existing IdP or SP in AM (All versions)?

FAQ: SAML certificate management in AM 5.x and 6.x

OpenAM Administration Guide › Managing SAML v2.0 Federation

OpenAM Reference › OpenAM Command Line Tools › ssoadm

Related Training

N/A

Related Issue Tracker IDs

OPENAM-3493 (RFE: SAML - supporting multiple keys (key rollover))


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.