Skip to content
  • There are no suggestions because the search field is empty.

Configuring SAML Authentication for Innoslate with Java 21

A Step-by-Step Guide to Setting Up Secure SAML Authentication for Innoslate 4.12 and Above

This outlines the process for configuring SAML authentication in Innoslate version 4.12 and above using Java 21. SAML (Security Assertion Markup Language) authentication relies on a certificate to verify the identity of the response publisher, ensure the signature's integrity, and confirm that the data has not been tampered with during transit.

Note: Innoslate 4.12 requires Apache Tomcat 11, which is included in the Innoslate installer. Innoslate v4.12 is due out September 2025.

Prerequisites

  • Java 21 installed (e.g., JDK 21.0.5)
  • OpenSSL installed
  • Administrative access to the command prompt
  • Access to the Identity Provider (IdP) metadata (e.g., ldp.pem and IDPMetadata.xml)
  • Innoslate version 4.12 or higher installed with Apache Tomcat 11 (e.g., C:\Innoslate4\apache-tomcat)
  • A certificate (e.g., saml.crt) and its corresponding private key (e.g., saml.pem or saml.key)

Creating a Java Keystore

Follow these steps to generate a Java Keystore for SAML authentication using a certificate and private key.

  1. Install OpenSSL: Download and install OpenSSL if not already present on your system.

  2. Open Command Prompt as Administrator:

    • Launch the command prompt with administrative privileges.

  3. Navigate to OpenSSL Directory:

    • Change to the OpenSSL installation directory using: 
      cd <openssl_path>
      Example: cd C:\OpenSSL\bin

  4. Obtain Certificate and Private Key:

    • Ensure you have a certificate (saml.crt) and its corresponding private key (saml.pem). These may be obtained from a certificate authority, internal certificate management system, or generated locally.
    • If the certificate is in a different format (e.g., .pfx), extract the certificate and key using: 
      openssl pkcs12 -in input_cert.pfx -out saml.crt -clcerts -nokeys
      openssl pkcs12 -in input_cert.pfx -out saml.pem -nocerts -nodes
      • Enter the .pfx file’s password when prompted, if applicable.

  5. Create a PKCS12 File:

    • Convert the certificate and private key into a .p12 file: 
      openssl pkcs12 -export -in saml.crt -inkey saml.pem -name saml -out saml.p12
    • Set the alias as saml (used in step 9).
    • When prompted, enter and verify an export password.

  6. Convert IdP Metadata to DER Format:

    • Convert the IdP’s ldp.pem file (downloaded from the ldP) to .der format: 
      openssl x509 -outform der -in ldp.pem -out ldp.der

  7. Copy Files to Java Bin Directory:

    • Copy saml.p12 and ldp.der to the Java bin directory (e.g., C:\Program Files\Java\jdk-21.0.5\bin).

  8. Navigate to Java Bin Directory:

    • In the command prompt, change to the Java bin directory: 
      cd C:\Program Files\Java\jdk-21.0.5\bin

  9. Create Java Keystore:

    • Import the .p12 file into a Java Keystore (.jks): 
      keytool -importkeystore -deststorepass <new_keystore_pass> -destkeypass <new_key_pass> -destkeystore SPKeystore.jks -srckeystore saml.p12 -srcstoretype PKCS12 -srcstorepass <pass_used_in_p12_keystore> -alias saml
    • Example: 
      keytool -importkeystore -deststorepass password -destkeypass password -destkeystore SPKeystore.jks -srckeystore saml.p12 -srcstoretype PKCS12 -srcstorepass password -alias saml

  10. Import IdP Certificate into Keystore:

    • Add the IdP certificate (ldp.der) to the Keystore: 
      keytool -import -alias InnoslateSP -keystore SPKeystore.jks -file ldp.der
    • When prompted:
      • Enter the Keystore password (e.g., password).
      • Confirm trust in the certificate by typing yes.

  11. Verify Keystore Creation:

    • The SPKeystore.jks file will be generated in the current directory (Java bin).

  12. Copy Files to Innoslate SAML Directory:

    • Move SPKeystore.jks and the IdP metadata file (IDPMetadata.xml) to: 
      C:\Innoslate4\apache-tomcat\webapps\innoslate4\WEB-INF\classes\saml
    • Ensure the IdP metadata XML file is present in this directory. If not, download it from the IdP and copy it here.
    • Provide the certificate (saml.crt) to the IdP to establish trust. This may involve sharing the certificate with the IdP administrator or uploading it to the IdP’s configuration portal.

Configuring settings.properties

Update the settings.properties file located in:

C:\Innoslate4\apache-tomcat\webapps\innoslate4\WEB-INF\

Set the following properties:

AUTHENTICATION_TYPE=SAML
KEY_ENTRY_ID=saml
KEY_STORE_PASSWORD=password
PRIVATE_KEY_PASSWORD=password
SP_ENTITY_ID=https://test.innoslate.com
METADATA_NAME=IDPMetadata.xml
KEY_STORE_NAME=SPKeystore.jks
SAML_RESPONSE=SAMLResponse

Property Descriptions

  • AUTHENTICATION_TYPE: Specifies the authentication method. Set to SAML for SAML authentication.
  • KEY_ENTRY_ID: The alias of the certificate stored in the Java Keystore (e.g., saml).
  • KEY_STORE_PASSWORD: The password set for the Java Keystore during creation.
  • PRIVATE_KEY_PASSWORD: The private key password set for the Java Keystore during creation.
  • SP_ENTITY_ID: A globally unique URL identifying the SAML entity, as configured in the IdP (e.g., https://test.innoslate.com).
  • METADATA_NAME: The filename of the IdP metadata XML file (e.g., IDPMetadata.xml), located in the SAML directory.
  • KEY_STORE_NAME: The name of the Java Keystore file (e.g., SPKeystore.jks), located in the SAML directory.
  • SAML_RESPONSE: The parameter name for the Base64-encoded SAML response payload from the IdP. The default is SAMLResponse and typically does not need to be changed.

Verification

  1. Ensure all files (SPKeystore.jks, IDPMetadata.xml) are in the correct directory (C:\Innoslate4\apache-tomcat\webapps\innoslate4\WEB-INF\classes\saml).
  2. Verify that the IdP trusts the certificate. If the certificate requires a specific trust chain, ensure the IdP has the necessary root or intermediate certificates.
  3. Restart the Apache Tomcat 11 server to apply the configuration changes.
  4. Test the SAML authentication by accessing Innoslate and verifying that the IdP login process works as expected.

Notes

  • Replace placeholder values (e.g., password, https://test.innoslate.com) with your actual values.
  • Ensure the IdP metadata (IDPMetadata.xml) is correctly obtained from the IdP.
  • Verify that the certificate and key are in a compatible format (e.g., PEM for the key and certificate, PKCS12 for the combined file).
  • If issues arise, check the Apache Tomcat logs (e.g., catalina.out) for errors related to certificate validation or Keystore issues. Verify the Keystore passwords, aliases, and file paths.

Still having issues? Reach out to Support.