It is time to say goodbye: This version of Elastic Cloud Enterprise has reached end-of-life (EOL) and is no longer supported.
The documentation for this version is no longer being maintained. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Sign Outgoing SAML Message
editSign Outgoing SAML Message
editIf configured, Elastic Stack will sign outgoing SAML messages.
As a prerequisite, you need to generate a signing key and a self-signed
certificate. You need to share this certificate with your SAML Identity Provider
so that it can verify the received messages. The key needs to be unencrypted.
The exact procedure is system dependent, you can use for example openssl
openssl req -new -x509 -days 3650 -nodes -sha256 -out saml-sign.crt -keyout saml-sign.key
Place the files under saml
folder and add them to the existing SAML bundle, or
create a new one as described above.
In our example, the certificate and the key will be located in the path
/app/config/saml/saml-sign.{crt,key}
:
$ tree . . └── saml ├── saml-sign.crt └── saml-sign.key
Make sure the bundle is included with your deployment (see above).
Adjust your realm configuration accordingly:
The path to the SAML signing certificate that was uploaded. |
|
The path to the SAML signing key that was uploaded. |
When configured with a
signing key and certificate, Elastic Stack will sign all outgoing messages (SAML
Authentication Requests, SAML Logout Requests, SAML Logout Responses) by
default. This behavior can be altered by configuring signing.saml_messages
appropriately with the comma separated list of messages to sign. Supported
values are AuthnRequest
, LogoutRequest
and LogoutResponse
and the default
value is *
.
For example