Overview
This article explains how to securely store and use a custom signing key and certificate for SAML.
Applies To
- SAML
- Signing key
- Certificates
Solution
With actions it is possible to store the signing key and certificate as secrets. They can then be retrieved within the action and configured using api.samlResponse.setEncryptionKey and api.samlResponse.setSigningCert respectively.
1. Prepare certificates
It’s first necessary to URL-encode the key and certificate so they can be stored as single line strings. Here’s an example using encodeURIComponent() function in JavaScript to encode the signing key and certificate:
const cert = `-----BEGIN CERTIFICATE-----
MIICvDCCAaQCCQD6E8ZGsQ2usjANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDDBVt
eXNlcnZpY2UuZXhhbXBsZS5jb20wHhcNMjIwMjE3MTQwNjM5WhcNMjMwMjE3MTQw
NjM5WjAgMR4wHAYDVQQDDBVteXNlcnZpY2UuZXhhbXBsZS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7XKdCRxUZXjdqVqwwwOJqc1Ch0nOSmk+U
erkUqlviWHdeLR+FolHKjqLzCBloAz4xVc0DFfR76gWcWAHJloqZ7GBS7NpDhzV8
G+cXQ+bTU0Qz7uBrinZEmmFIgIw8MmE3SnpHmzj6NgMfvi0XhMBoz+nwriMmDoAG
...
-----END CERTIFICATE-----`;
const signingKey = `-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7XKdCRxUZXjdq
VqwwwOJqc1Ch0nOSmk+UerkUqlviWHdeLR+FolHKjqLzCBloAz4xVc0DFfR76gWc
WAHJloqZ7GBS7NpDhzV8G+cXQ+bTU0Qz7uBrinZEmmFIgIw8MmE3SnpHmzj6NgMf
vi0XhMBoz+nwriMmDoAGgD3qyvkhkZf7SBtVuVM6ixb4SXlwuNDyms6cYM60yNq1
...
-----END PRIVATE KEY-----`;
const encodedCert = encodeURIComponent(cert);
const encodedSigningKey = encodeURIComponent(privateKey);
console.log('Encoded cert:', encodedCert);
console.log('Encoded signing key:', encodedSigningKey);
Create a post-login action
- Navigate to Actions > Library.
- Click Build Custom.
- Name the action (e.g., “Custom SAML Certificates”) and select Login / Post Login as the trigger.
- Replace the default code with the following, setting
<SAML app client ID>
to the client ID of the SAML application:
exports.onExecutePostLogin = async (event, api) => {
const samlIdpClientId = '<SAML app client ID>';
if (event.client.client_id !== samlIdpClientId) {
return;
}
const signingKey = decodeURIComponent(event.secrets.signing_key);
const cert = decodeURIComponent(event.secrets.cert);
api.samlResponse.setEncryptionKey(signingKey);
api.samlResponse.setSigningCert(cert);
};
Add secrets to the action
- In the action editor, go to the Secrets tab.
- Add two secrets:
- Name: signing_key, Value:
<encoded signing key>
- Name: cert, Value:
<encoded cert>
4. Deploy and enable the action
- Click Deploy to save the action.
- Go to Actions > Flows and select the Login flow.
- Add the new action to the flow and ensure it’s in the correct order.