You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -98,25 +98,23 @@ Here are values needed to configure your service provider (SP) to work with Logi
98
98
99
99
### x509 Public Certificate
100
100
101
-
For SAML integrations, there are two different public certificates used:
101
+
This section refers to the Login.gov certificate that we use to sign our SAML response back to the partner app. This allows the partner app to validate the authenticity of SAML responses received from Login.gov. We update this certificate once a year, as explained in the [Annual Certificate Rotation](#annual-certificate-rotation) section below.
102
102
103
-
1. The Login.gov certificate that we use to sign our SAML response back to the partner app. This allows the partner app to validate the authenticity of SAML responses received from Login.gov. We update this certificate once a year, as explained in the [Annual Certificate Rotation](#annual-certificate-rotation) section below.
103
+
For your own public certificates that you upload to the Login.gov Partner Portal, please refer to our [Certificate Rotation Process](/production/#certificate-rotation-process), and to the [Creating a public certificate](/testing/#creating-a-public-certificate) section for more details.
104
104
105
-
2. Your public certificate that you upload to the Login.gov Partner Portal. This is the certificate that matches the private key on your end that you use to sign your SAML requests to Login.gov. This allows Login.gov to validate the authenticity of your SAML requests.
106
-
107
-
Your public certificate is also used by Login.gov to encrypt our SAML response back to your app. Your app then uses the corresponding private key to decrypt the response.
105
+
### How your app can access the Login.gov certificate
108
106
109
-
You can follow the instructions in our [testing article]({% link _pages/testing.md %}#creating-a-public-certificate) to generate your public/private keypair.
107
+
The easiest and recommended way is via our metadata endpoint. See details in the [Metadata](#metadata) section below.
110
108
111
-
### How your app can access the Login.gov certificate
109
+
Otherwise, you can download our certificates from the [Signing Certificates](#signing-certificates) section.
112
110
113
-
The easiest and recommended way is via our metadata endpoint. Consistent with the [SAML metadata specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf){:class="usa-link--external"}, Login.gov's metadata for our sandbox environment is available at [https://idp.int.identitysandbox.gov/api/saml/metadata{{ site.data.saml.year.current }}](https://idp.int.identitysandbox.gov/api/saml/metadata{{ site.data.saml.year.current }}). Our production metadata endpoint is available at [https://secure.login.gov/api/saml/metadata{{ site.data.saml.year.current }}](https://idp.int.identitysandbox.gov/api/saml/metadata{{ site.data.saml.year.current }}).
111
+
The advantage of using our metadata endpoint is that you don't have to manually copy our certificate from this page and upload it to your systems once a year during our [Annual Certificate Rotation](#annual-certificate-rotation). Instead, you will simply update the year in the metadata URL.
114
112
115
-
This means that you don't have to manually copy our certificate from this page and then upload it to your systems once a year, during our [Annual Certificate Rotation](#annual-certificate-rotation). Instead, you can simply update the year in the metadata URL.
113
+
### Metadata
116
114
117
-
If your systems don't support ingesting the metadata via a URL, there typically is an option to upload a file. In that case, you would visit our metadata endpoint in your browser, then right-click anywhere inside the page, and select "Save As". The default filename will be metadata{{ site.data.saml.year.current }}.xml
115
+
Consistent with the [SAML metadata specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf){:class="usa-link--external"}, Login.gov's metadata for our sandbox environment is available at [https://idp.int.identitysandbox.gov/api/saml/metadata{{ site.data.saml.year.current }}](https://idp.int.identitysandbox.gov/api/saml/metadata{{ site.data.saml.year.current }}). Our production metadata endpoint is available at [https://secure.login.gov/api/saml/metadata{{ site.data.saml.year.current }}](https://idp.int.identitysandbox.gov/api/saml/metadata{{ site.data.saml.year.current }}).
118
116
119
-
If there aren't any metadata options available to you, you will need to manually copy the certificate from the next section, then either paste it on your end, or save it to a file with a .crt extension, then upload it on your end so your app can access it.
117
+
If your systems don't support ingesting the metadata via a URL, an option to upload a file is typically available. In that case, you would visit our metadata endpoint in your browser, then right-click anywhere inside the page, and select "Save As." The default filename will be metadata{{ site.data.saml.year.current }}.xml
120
118
121
119
### Signing Certificates
122
120
Below you can find the X509 certificates used by the Login.gov IdP to sign our SAML **response** back to your app. This allows your app to validate that the response you received did indeed come from Login.gov.
@@ -169,10 +167,6 @@ The certificates are issued to create an overlap period of about a month, during
169
167
170
168
The {{ site.data.saml.year.previous }} certificates for idp.int.identitysandbox.gov and secure.login.gov each expire on April 1, {{ site.data.saml.year.current }}. So the transition from {{ site.data.saml.year.previous }} to {{ site.data.saml.year.current }} endpoints should take place in February or March {{ site.data.saml.year.current }}.
171
169
172
-
### Rotating Your Public Certificates
173
-
174
-
Note that **your** public certificates (the ones that you use to sign your SAML requests to Login.gov, and that you upload to the Partner Portal) have expiration dates as well, that you set. When it's time for you to change your certificates, there is a specific process to follow in a specific order to avoid downtime. Please make sure to review the [step-by-step instructions for certificate rotation](/production/#certificate-rotation-process) well in advance of your certificate's expiration.
175
-
176
170
### Example application
177
171
178
172
The Login.gov team has created an example client to speed up your development, all open source in the public domain: [identity-saml-sinatra](https://github.com/18F/identity-saml-sinatra){:class="usa-link--external"}.
Copy file name to clipboardExpand all lines: _pages/testing.md
+5-3Lines changed: 5 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,6 +15,8 @@ sidenav:
15
15
href: "#using-the-sandbox"
16
16
- text: If you lost access to a sandbox team
17
17
href: "#if-you-lost-access-to-a-sandbox-team"
18
+
- text: Creating a public certificate
19
+
href: "#creating-a-public-certificate"
18
20
- text: Load Testing
19
21
href: "#load-testing"
20
22
- text: Automated Testing
@@ -83,9 +85,9 @@ The public/private keypair process is a crucial step in generating secure authen
83
85
84
86
- The private key should be one of the most securely protected pieces of data in your Login.gov integration. If the private key is compromised, your integration will no longer be secure.
85
87
- Only share the public key with Login.gov. Do not share the private key.
86
-
- It is best practice to rotate your keypairs on a regular basis regardless of known compromise.
87
-
-At minimum for OIDC, you must ensure that your authentication request is signed with the private key.
88
-
- For SAML integrations, use the private key generated with your certificate for decryption or you will be unable to decrypt the response.
88
+
- It is best practice to rotate your keypairs on a regular basis regardless of known compromise. NIST recommends rotating every 90 days to 6 months. For production applications, make sure to review the [step-by-step instructions for certificate rotation](/production/#certificate-rotation-process) well in advance of your certificate's expiration.
89
+
-For OIDC integrations using `private_key_jwt`, your request to our token endpoint must include a JWT signed with a private key that matches a public certificate that you uploaded to your config in the Partner Portal.
90
+
- For SAML integrations, you will use the private key generated with your certificate to sign your SAML requests to Login.gov, and to decrypt the responses you receive from Login.gov.
0 commit comments