Reputation: 1
Wso2 - Change Resident Identity Provider to use different certificate other than wso2carbon
Could you please let me know how I can change the Resident metadata value to have a different certificate other than ws02 where I have signed a metadata using a specific cert. Seems IS is signing the SAMLRequest using its own cert so i get an invalid signature when sending a SAML Request to the Identity Provider.
I change the certificate alias on service provider configuration from IS console to the appropriate certificate but doesn't seem to overwrite signing it and still using the standard wso2 certificate.
Is there somewhere in the IS configuration where I can change the wso2carbon cert to one of my own so it will apply to identity provider resident?
Upvotes: 0
Views: 262
Answers (1)
Reputation: 120
Currently, the primary keystore configured by the / element in the /repository/conf/carbon.xml file is used for internal data encryption (encrypting data in internal data stores and configuration files) as well as for signing messages that are communicated with external parties. However, it is sometimes a common requirement to have separate keystores for communicating messages with external parties (such SAML, OIDC id_token signing) and for encrypting information in internal data stores. This is because, for the first scenario of signing messages, the keystore certificates need to be frequently renewed. However, for encrypting information in internal data stores, the keystore certificates should not be changed frequently because the data that is already encrypted will become unusable every time the certificate changes.
This feature will be available from IS 5.5.0 WUM and above. You can follow steps in [1] to configure multiple keystores.
<InternalKeyStore>
<Location>${carbon.home}/repository/resources/security/internal.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
<KeyAlias>wso2carbon</KeyAlias>
<KeyPassword>wso2carbon</KeyPassword>
</InternalKeyStore>
Upvotes: 2
Related Questions
- how to update service provider in wso2 using soap request with inbound saml web sso configuration details: need soap request
- Change WSO2 publisher and devportal(i.e store) SAML SSO from default API manager to Identity Server
- Can we use third party certificates with WSO2 IS for mutual SSL?
- WSO2 IS: Change HTTPS certificate
- WSO2 IS: How to add SSL Certificate
- wso2is as SP with 3rd party IDP Initiated SAML
- WSO2 certificate setup for service provider
- Replace custom authentication by WSO2 Identity Server?
- WSO2 single sign on with Identity Server
- WSO2 Identity Server - Customize SAMLSSOAuthenticator