Feature Request: KEYS/Certificates read from PEM/CRT Files

[ianlintner]

If this already exist could you point me to documentation. If not just a very nice to have for developers building more complex SAML apps.

Story: As a dev, I want to revision properties file into SCM without exposing secrets.

At least this is how I would do it, bc you can use ENVs but the risk of a human error of someone accidently pasting in a private value into properties is a potential risk. Having certificate values external or ignored certs folder reduces mistakes and potential for human error making it a SDLC security better practice.

As I understand the certificate/key validation happens early in init it makes it difficult to JIT cert/key loading from a service as hashicorp vault as the other preferred option I would use.

AC: Allow a file notation or property for any key or certificate loads currently in properties file. e.g.

onelogin.saml2.idp.x509cert

AC: If the file property or file notation is used add a method to load private key from file / x509 cert from file and load those into the Auth Settings.

[mauromol]

You can use the following keys defined in com.onelogin.saml2.settings.SettingsBuilder:

• to specify a SP key store: KEYSTORE_KEY (must point to a key store), KEYSTORE_ALIAS (String specifying the key/certificate pair alias), KEYSTORE_KEY_PASSWORD (password to use to unlock the key inside the key store, usually the same used to unlock the key store itself)
• as an alternative, to specify a SP certificate and private key, SP_X509CERT_PROPERTY_KEY property key may point to either a String (PEM format) or a X509Certificate instance and SP_PRIVATEKEY_PROPERTY_KEY key may point to either a String (PEM format) or a PrivateKey instance
• to specify IdP certificates you can use the IDP_X509CERT_PROPERTY_KEY and a series of IDP_X509CERTMULTI_PROPERTY_KEY keys (concatenated with ".", that is: onelogin.saml2.idp.x509certMulti.0, onelogin.saml2.idp.x509certMulti.1, etc.) as Strings (PEM format) or X509Certificate instances

To be able to specify these properties as typed instances, you may load part of the settings from a properties file, then add the necessary key store/certificates/private keys etc. to the loaded Properties instance and the use com.onelogin.saml2.settings.SettingsBuilder.fromProperties(Properties), or use a Map and then com.onelogin.saml2.settings.SettingsBuilder.fromValues(Map<String, Object>).

Or you can chain calls:

// simple properties
SettingsBuilder.fromFile(settingsFileName)
// key store properties
.fromProperties(keyStoreProperties)
.build();

or even use the variant:

SettingsBuilder.fromFile(settingsFileName, keyStoreSetting);

which accepts a com.onelogin.saml2.model.KeyStoreSettings instance carrying on typed SP key store data.