Why does Spring SAML SP need a keystore and related key configuration?

Question

I have a spring boot application and planning to use Okta, referring to the below 2 samples, what is the purpose of configuring keystore for service provider?

https://github.com/spring-projects/spring-security-saml-dsl/blob/master/samples/spring-security-saml-dsl-sample/src/main/java/com/example/SecurityConfiguration.java

https://github.com/oktadeveloper/okta-spring-boot-saml-example/blob/master/src/main/java/com/example/demo/SecurityConfiguration.java

score 0 · Answer 1 · answered Oct 30 '18 at 14:37

As you can see in SAML 2.0 specs [http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf],

All SAML protocol request and response messages MAY be signed using XML Signature

That means your Service Provider could have the need to sign his requests.

Why does Spring SAML SP need a keystore and related key configuration?

1 Answers1