In order to set up Airlock IAM as SAML 2.0 Service Provider (SP), you need the following:

  • SAML meta data file of the IDP ("idp.xml")
  • Public URLs of the IAM acting as SP (domain and deployment path etc.)
  • A JKS or PKCS12 key store with one (or better two for productive systems; one for signing, one for encryption) private key and certificate (can be self-signed and valid for a long time) to digitally sign SAML assertions
  • The password for the key store
  • The password for the private key (if it is password protected within the key store; for simplicity it is recommended to use the same password as above)
  • The alias (also called "friendly name") of the certificate in the key store.

How to create a key store and export its public key is described here: Creating a key store for SAML

To separate the various SAML files from the other Airlock IAM configuration file, it is advisable to create a separate SAML directory.

For this tutorial, we assume a directory named saml in the Airlock IAM instance being configured (e.g. instances/auth/saml). This will be called "SAML directory" from now on.