SAML Signing And Encryption Keys
Singing SAML requests and encrypting responses ensure secure and verified communication between the Identity Provider (IdP) and Service Provider (SP). By default, Descope generates a private key during tenant creation to sign SAML requests and decrypt SAML responses from the IdP. Descope provides the ability to integrate custom private keys to allow organizations to use their own private keys, offering enhanced flexibility and control over the single sign-on process.
Descope Console
In tenant settings, under the SAML SSO authentication method, a section called "SSO Keys" allows configuring the signing and encryption keys:
Using Descope's keys
Descope as a Service Provider (SP), signs the SAML request using Descope's private key. By using the signing public certificate, the IdP to verify the validity of the request's signature The Identity Provider (IdP) is capable of consuming and utilizing the public certificates provided through the Service Provider's (SP) metadata URL. In scenarios where manual configuration is preferred, these certificates can be downloaded from the configuration page so they can be manually uploaded to the IdP.
Example for uploading and configuring the certificates in Okta as the IdP:
Using custom keys
When using custom keys, the "Upload Custom Key" expects a PEM certificate file representing a private key. After uploading the private keys and saving the configuration, the public key pairs are updated in the metadata URL or available for download to be used in the IdP.
An example for a PEM file format: