Why Keystore is needed when using SSO (SAMLv2)

348 views Asked by At

I use Okta as my IDP and I have 2 use cases:

  1. IDP-initiated SSO
  2. when a user wants to login using his okta credentials to my system, I redirect him to okta, and okta send the response to a callback in my app.

I was wondering why I need the keystore? how is it used? The messages to the IDP from the SP (my app) will be encrypted using this keystore key-pair? And if so, doesn't that mean that I need to somehow share my keys with okta? I couldn't find any explanation on this.

Appritiate any help on this! Thanks!

1

There are 1 answers

0
Joël Franusic On BEST ANSWER

SAML Responses sent from a SAML Identity Provider ("IdP") like Okta will be signed using Okta's private key, these messages will be validated by a SAML Service Provider ("SP") like your application using the corresponding public key.

In your case, the keystore should only be used for Okta's public key (or public keys, if you federate with more than one Okta org). You will not need to share any keys with Okta, but you will need to get the public key from Okta somehow. The best way to get the public key from Okta would be via an IdP metadata URL, the next best way would be to have the Okta administrator paste Okta's X.509 encoded public key into your app somehow.