Skip to main content

Add SAML 2.0 Provider

This section contains step-by-step instructions for creating a SAML 2.0 provider in Monokee. These instructions are applicable to both identity and service providers, and will be referenced in the dedicated tutorial.

The following steps will guide you through the process of setting up a SAML 2.0 provider:

  1. Navigate to your Monokee custom fully qualified domain name (FQDN) or if you haven't set up a custom FQDN, go to Monokee's default page and enter your domain ID. Then, enter your login credentials to access your account.

  2. Open the left sidebar and select SAML Providers from the menu.

  3. This will display a two-tab page, choose the tab associated to the desired provider: IDENTITY PROVIDERS or SERVICE PROVIDERS. Click the Add button located in the top right corner.

  4. Within the presented modal, in the General configuration section, enter the desired Name for your new provider, such as Default IDP SAML 2.0 or Default SP SAML 2.0. Leave all other settings unchanged unless there are specific requirements. If you wish to share your provider's metadata via a link, select the Display metadata option.

  5. Complete the Organization and Contact person section with desired values for your organization. We left them empty.

  6. Select your preferred Signing options in the dedicated section. We suggest always enabling each flag to improve the security of SAML message exchange.

  7. Load your PKCS1 Private Key and the corresponding Certificate in the Signature section. If you want you can generate this key-pair with the following openssl command:

    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048

    A series of information will be asked, here's an example:

    • Country Name: IT
    • State or Province Name: TN
    • Locality Name: Trento
    • Organization Name: Monokee
    • Organizational Unit Name: Monokee SAML 2.0
    • Common Name: 1f414952-d73b-4c79-a3cb-fb5d413fe5fe
    • Email Address: john.doe@example.org

    This command should output a certificate directly in the terminal and the private key will be placed in a file named privkey.pem. The private key will be in PKCS8 format so it must be converted to PKCS1 with the following command:

    openssl pkey -in privkey.pem -traditional

    The new private key will be displayed in the terminal output.

  8. Left untouched the Single Logout services configurations. These options must be modified only if you want to limit the supported bindings.