Prerequisites to setup IAM as SAML SP

To set up IAM as a SAML service provider, the following preparations are required.

Create a SAML directory

The SAML configuration is partly stored in the IAM configuration but refers to standardized XML files called SAML metadata files. They contain a lot of the details configuring the SAML IDP and SPs. Moreover, the SAML configuration involves key stores and key store password files.

To separate the SAML files from the ​other Airlock IAM configuration file, it is advisable to create a separate SAML directory within the IAM instance directory.

In this tutorial, we assume a directory /saml/ in the Airlock IAM instance being configured.

Example: instances/auth/saml/

We call the directory the SAML directory.

Identity provider metadata

From each SAML identity provider, the corresponding metadata file plus some additional information is required. The metadata file contains all relevant endpoints (URLs), public keys, and other information about the service provider. This is covered in Adding SAML IDP to the SP configuration for the Loginapp REST API.

Prepare a key store

The service provider requires one or more key pairs in order to sign and encrypt SAML messages.

  • The following information is required:
  • Key store: A JKS or PKCS12 key store with one or more key pairs. It is recommended to use separate key pairs for signing and encryption. The public keys are made available to the identity provider in the form of X.509 certificates. The certificates may be self-signed.
  • Key store password: The password for the key store.
  • Private key passwords: The password for the private keys. This may be the same as the key store password.
  • The aliases (also called friendly names) of the certificates within the key store. An alias uniquely identifies a key pair within a set of keys contained in the key store.

How to create a key store and export its public key is described here: Creating a key store for SAML