Set Up SSL Keys for SAML 2.0
Last modified: 09 October 2024To use Hub as the Identity Provider with SAML, you must encrypt the connection between Hub and a Service Provider. You need to generate an SSL key and a certificate, pack them in a PKCS #12 format file, and upload it to Hub.
There are several tools that let you create SSL keys and certificates in PKCS #12 format. We describe how to create an SSL keystore with the OpenSSL toolkit.
To create an SSL keystore with OpenSSL:
Generate a new 2048 bit RSA key with password protection:
openssl genrsa -des3 -out Hub_SAML.key 2048
Generate a certificate request for the generated key:
openssl req -new -key Hub_SAML.key -out Hub_SAML.csr
Generate a certificate:
openssl x509 -req -days 365 -in Hub_SAML.csr -signkey Hub_SAML.key -out Hub_SAML.crt
Package the key and the certificate in a PKCS #12 file:
openssl pkcs12 -export -out Hub_SAML.p12 -inkey Hub_SAML.key -in Hub_SAML.crt -certfile Hub_SAML.crt
You have a PKCS #12 keystore (
Hub_SAML.p12
in the example) that is ready for upload to Hub.
note
Please keep the generated SSL key and the certificate. Some service providers require their actual content for SAML configuration.
To import the PKCS #12 keystore to Hub:
tip
Requires permissions: Low-level Admin Write
In the Server Settings section of the Administration menu, select SSL Keys.
Click the Import keystore button.
Select the created
.p12
key file, provide the password, and upload the keystore to Hub.In the Access Management section of the Administration menu, select SAML 2.0.
Select the key in the SSL Key drop-down list on the Settings tab.
Hub encrypts the connection with SAML Service Providers using the selected SSL key. Hub also extracts and displays the SHA-256, SHA-1, and MD-5 Fingerprints of the certificate that is packed into the selected keystore.
A service provider may require any of these fingerprints to enable and configure SAML2.0 on its side.
Thanks for your feedback!