How can we store certificates on the Rules' configuration settings as a key-value pair?

Question: How can we store certificates on the Rules’ configuration settings as a key-value pair?

We have SAML applications for which we want to use custom signing cert/keys. As explained in the docs we have configured a rule that works as expected. But the keys are displayed to everyone who can log in to the dashboard. We have tried moving the certs to Rules’ configuration object but we are getting the following error for the same keys:

invalid_request: error:0909006C:PEM routines:get_name:no start line

Answer:

This issue is caused by the keys having new lines. As a workaround, you may URL encode the certs while saving them in the configuration. Then in the rule, you may decode before using them. Having the keys encoded in the config object as a URL-safe string should avoid the issues.

For encoding, you may use encodeURIComponent. You may then decode the certs with decodeURIComponent. With Node.js these functions are supported natively.

Here is the modified rule, assuming both public and private certs are stored in the configuration object with the same name.

function (user, context, callback) {
  // replace with the ID of the application that has the SAML Web App Addon enabled
  // for which you want to change the signing key pair.
  var samlIdpClientId = 'YOUR_SAML_APP_CLIENT_ID';

  // only for a specific client
  if (context.clientID !== samlIdpClientId) {
    return callback(null, user, context);
  }

  // provide your own private key and certificate here  
  context.samlConfiguration.cert = decodeURIComponent(configuration.public);
  context.samlConfiguration.key = decodeURIComponent(configuration.private);
      
  callback(null, user, context);
}

2 Likes