How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I enable validation checks for SAML certificates in AM 5.x and 6.x?

Last updated Apr 13, 2021

The purpose of this article is to provide information on enabling validation checks for SAML certificates (signing and CA) in AM. When enabled, AM checks certificates against the Certificate Revocation List (CRL) for every signed assertion received.


2 readers recommend this article

Overview

You can choose to enable validation checks for signing certificates, CA certificates or both. When enabled, AM checks certificates against the CRL for every signed assertion received; any issues will cause federation to completely fail with errors such as:

ERROR: FMSigProvider.verify: Signing Certificate is validated as bad.

AM does not validate certificates when encrypting or signing an assertion.

Validating Certificates

You can enable validation checks for SAML certificates as follows:

  1. Enable certificate validation for signing certificates and/or CA certificates using either the console or ssoadm:
    • Console: navigate to: Configure > Global Services > SAMLv2 Service Configuration and enable XML Signing Certificate Validation and/or CA Certificate Validation.
    • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s sunFAMSAML2Configuration -t global -u [adminID] -f [passwordfile] -a SigningCertValidation=true CACertValidation=truereplacing [adminID] and [passwordfile] with appropriate values. You can exclude one of the attributes if you do not want to set validation checks for both signing certificates and CA certificates.
  2. Set the following JVM property if your signing certificate has a CDP extension (CRL Distribution Point) to enable checking of certificates: -Dcom.sun.security.enableCRLDP=trueSee below for example of how to do this for the Apache Tomcat™ web container.
  3. Configure your LDAP server to store your CA certificates and CRLs.
  4. Enable caching of the certificate revocation list using either the console or ssoadm:
    • Console: navigate to: Configure > Server Defaults > Security > Certificate Revocation List Caching and enter details of your LDAP server (that is storing the CA certificates and CRLs).
    • ssoadm: enter the following command: $ ./ssoadm update-server-cfg -s default -u [adminID] -f [passwordfile] -a [CRLProperties]replacing [adminID], [passwordfile] and [CRLProperties] with appropriate values, where [CRLProperties] consists of the attributes you want to set and corresponding values. The attributes you can specify are: com.sun.identity.crl.cache.directory.host= com.sun.identity.crl.cache.directory.port= com.sun.identity.crl.cache.directory.ssl= com.sun.identity.crl.cache.directory.user= com.sun.identity.crl.cache.directory.password= com.sun.identity.crl.cache.directory.searchlocs= com.sun.identity.crl.cache.directory.searchattr=

Example using Apache Tomcat™ web container

You can set this property by specifying CATALINA_OPTS settings in the setenv.sh file (typically located in the /tomcat/bin/ directory). If this file doesn't exist, you should create it in the same directory as the catalina.sh file (also typically located in the /tomcat/bin/directory).

To set this property:

  1. Add the following line to the setenv.sh file: export CATALINA_OPTS="-Dcom.sun.security.enableCRLDP=true"
  2. Restart the web container.

See Also

FAQ: SAML certificate management in AM 5.x and 6.x

Reference › SAML v2.0 Service Configuration

Reference › Deployment Configuration

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.