In order to set up Airlock IAM as SAML 2.0 Service Provider (SP), you need the following:
- SAML meta data file of the IDP ("idp.xml")
- Public URLs of the IAM acting as SP (domain and deployment path etc.)
- A JKS or PKCS12 key store with one (or better two for productive systems; one for signing, one for encryption) private key and certificate (can be self-signed and valid for a long time) to digitally sign SAML assertions
- The password for the key store
- The password for the private key (if it is password protected within the key store; for simplicity it is recommended to use the same password as above)
- The alias (also called "friendly name") of the certificate in the key store.
How to create a key store and export its public key is described here: Creating a key store for SAML
To separate the various SAML files from the other Airlock IAM configuration file, it is advisable to create a separate SAML directory.
For this tutorial, we assume a directory named saml
in the Airlock IAM instance being configured (e.g. instances/auth/saml
). This will be called "SAML directory" from now on.