Configure a signing keystore for SAML SSO encryption and signingIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This article explains how to configure a signing keystore for encryption and signing in a SAML SSO Identity Provider configuration using base system keystores or custom keystores. ServiceNow provides two base system keystores for SAML encryption and signing. For detailed configuration information, see SAML 2.0 configuration using Multi-Provider SSO. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All supported releases; Beginning with Washington DC for separate signing and encryption keystores Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } To view available keystores, go to the X.509 Certificates list view. Two base system keystores are available: SAML 2.0 SP Keystore (deprecated) This keystore provides 128-bit support and is deprecated. To use this keystore, configure the Identity Provider record in the Encryption and Signing section: Set Signing/Encryption Key Alias to saml2sp.Set Signing/Encryption Key Password to saml2sp.Set Signing Signature Algorithm to http://www.w3.org/2000/09/xmldsig#rsa-sha1.Select the appropriate checkboxes based on your requirements: Encrypt AssertionSign AuthnRequestSign LogoutRequest Select Save. SAML 2.0 Keystore_Key2048_SHA256 The SAML 2.0 Keystore_Key2048_SHA256 or SAML 2.0 Keystore_Key2048_SHA256_FIPS keystore provides 256-bit support. To use this 256-bit keystore: From the X.509 Certificates list view: Set SAML 2.0 SP Keystore Active to false.Set SAML 2.0 Keystore_Key2048_SHA256 Active to true, or Set SAML 2.0 Keystore_Key2048_SHA256_FIPS Active to trueSet the system property glide.authenticate.sso.saml2.keystore value to the sys_id of the keystore record in the sys_certificate table: SAML 2.0 Keystore_Key2048_SHA256 base system sys_id: 3685fc22930212003c5537ae867ffb91SAML 2.0 Keystore_Key2048_SHA256_FIPS base system sys_id: c60ad24b732220103a5b0dd43cf6a7db Configure the Identity Provider record in the Encryption and Signing section: Set Signing/Encryption Key Alias to saml2sp.Set Signing/Encryption Key Password to saml2sp.Set Signing Signature Algorithm to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.Select the appropriate checkboxes based on your requirements: Encrypt AssertionSign AuthnRequestSign LogoutRequest Select Save. Export the signing certificate After you configure the keystore, export the signing certificate to provide to your Identity Provider: Open your Identity Provider record.Select Generate Metadata.Locate the signing certificate in the <ds:X509Certificate> XML element. Example metadata output: <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://<instance-name>.service-now.com"> <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing" > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDoTCCAomgAwIBAgIERs1yFjANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMxCzAJBgNV BAgTAkNBMRQwEgYDVQQHEwtTYW50YSBDbGFyYTETMBEGA1UEChMKU2VydmljZU5vdzEdMBsGA1UE CxMUUGxhdGZvcm0gRGV2ZWxvcG1lbnQxGjAYBgNVBAMTEVBsYXRmb3JtIFNlY3VyaXR5MB4XDTE2 MDMwOTIyNTYyMVoXDTI2MDMwNzIyNTYyMVowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEU MBIGA1UEBxMLU2FudGEgQ2xhcmExEzARBgNVBAoTClNlcnZpY2VOb3cxHTAbBgNVBAsTFFBsYXRm b3JtIERldmVsb3BtZW50MRowGAYDVQQDExFQbGF0Zm9ybSBTZWN1cml0eTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMdREVxdscrxy9ap/UnDsdihJjoKxY6qpxvLUHUGKjTsSNNu/6Fd hh4y5hkYLklY0vEdXStqwvqJjqiCn1LPPo/WjWBAv1kVZXiA0pbaxRaX0wtQ2zo4ddIpCc6/UFOZ QxPTk+974KPKiA9wDa9/mSqfLfzPmDrSPGLvbiQACTHozLTXxMv+z7pJg77muWIHet5pdrUThF9w 8iANYTRie+dl+LxEyF5U5tdQXlFgRo5qBQQvSDVL+FbjiX+XllNLwP2RX7IwZChxi6B8dgkAuXTX dII309L9NXy3E8pefhAJgSe5FnkGaQk/HlqOBtgKdp9/Rf5Uy6fz0ZJmEqKzM+8CAwEAAaMhMB8w HQYDVR0OBBYEFNF7CaQY7kZQM5ulSV8bOAl2mgdNMA0GCSqGSIb3DQEBCwUAA4IBAQC+f3HXbp/2 IaF/bmUICCkVragGpX4IslJPxjdShUA7qwIZ8YNZZHT9R8bRrcOIRy83fKiXDmlWYSgiuA3cckH4 WSvwCHOCSi0H72/L9QRjqcrlzpzoCFP1v57tzGOPyAsRr/kU7v01g6bCKlnXPhXpX6EA5m0h37vQ rV++9aXSiThRbatOkRVow4NohbkVZA8zhn6kxSI3nwM1xRO30dtb8iQGo/2/J9d2pzLKnvC3pFVF W7GRabHJ8Zv5k/9f45/9F8l/9+v8g+OaqEdQuAdymHbeFQ732vd/4MuJWHylQGcyQz7ytJUqr7j4 epX6Li/sQdXGaLxLM+rEKFMY7uB/</ds:X509Certificate></ds:X509Data></ds:KeyInfo> </KeyDescriptor> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://<instance-name>.service-now.com/navpage.do"/> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<instance-name>.service-now.com/navpage.do" /> <AssertionConsumerService isDefault="false" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<instance-name>.service-now.com/consumer.do" /> </SPSSODescriptor> </EntityDescriptor> To format this as a PEM certificate (as may be required by the IdP) encapsulate the <ds:X509Certificate> value with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags as in this example: -----BEGIN CERTIFICATE----- MIIDoTCCAomgAwIBAgIERs1yFjANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMCVVMxCzAJBgNV BAgTAkNBMRQwEgYDVQQHEwtTYW50YSBDbGFyYTETMBEGA1UEChMKU2VydmljZU5vdzEdMBsGA1UE CxMUUGxhdGZvcm0gRGV2ZWxvcG1lbnQxGjAYBgNVBAMTEVBsYXRmb3JtIFNlY3VyaXR5MB4XDTE2 MDMwOTIyNTYyMVoXDTI2MDMwNzIyNTYyMVowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEU MBIGA1UEBxMLU2FudGEgQ2xhcmExEzARBgNVBAoTClNlcnZpY2VOb3cxHTAbBgNVBAsTFFBsYXRm b3JtIERldmVsb3BtZW50MRowGAYDVQQDExFQbGF0Zm9ybSBTZWN1cml0eTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMdREVxdscrxy9ap/UnDsdihJjoKxY6qpxvLUHUGKjTsSNNu/6Fd hh4y5hkYLklY0vEdXStqwvqJjqiCn1LPPo/WjWBAv1kVZXiA0pbaxRaX0wtQ2zo4ddIpCc6/UFOZ QxPTk+974KPKiA9wDa9/mSqfLfzPmDrSPGLvbiQACTHozLTXxMv+z7pJg77muWIHet5pdrUThF9w 8iANYTRie+dl+LxEyF5U5tdQXlFgRo5qBQQvSDVL+FbjiX+XllNLwP2RX7IwZChxi6B8dgkAuXTX dII309L9NXy3E8pefhAJgSe5FnkGaQk/HlqOBtgKdp9/Rf5Uy6fz0ZJmEqKzM+8CAwEAAaMhMB8w HQYDVR0OBBYEFNF7CaQY7kZQM5ulSV8bOAl2mgdNMA0GCSqGSIb3DQEBCwUAA4IBAQC+f3HXbp/2 IaF/bmUICCkVragGpX4IslJPxjdShUA7qwIZ8YNZZHT9R8bRrcOIRy83fKiXDmlWYSgiuA3cckH4 WSvwCHOCSi0H72/L9QRjqcrlzpzoCFP1v57tzGOPyAsRr/kU7v01g6bCKlnXPhXpX6EA5m0h37vQ rV++9aXSiThRbatOkRVow4NohbkVZA8zhn6kxSI3nwM1xRO30dtb8iQGo/2/J9d2pzLKnvC3pFVF W7GRabHJ8Zv5k/9f45/9F8l/9+v8g+OaqEdQuAdymHbeFQ732vd/4MuJWHylQGcyQz7ytJUqr7j4 epX6Li/sQdXGaLxLM+rEKFMY7uB/ -----END CERTIFICATE----- Custom keystores You can create a custom keystore instead of using the base system options. See: Create a service provider keystore for SAMLInstall a service provider keystore for signing SAML requests Washington DC release and later Starting with the Washington DC release, you can configure separate certificates for signing and encryption. A new system property glide.authenticate.sso.saml2.encryption.keystore works alongside the existing glide.authenticate.sso.saml2.keystore property. A new keystore is available: SAML 2.0 Keystore_Key2048_SHA256_Encryption Default values for this keystore: Signing/Encryption Key Alias: saml2spSigning/Encryption Key Password: saml2spSigning Signature Algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 How the properties work together Before Washington DC: Both signing and encryption use the same certificate specified in glide.authenticate.sso.saml2.keystore. Washington DC and later: You can use separate certificates: glide.authenticate.sso.saml2.keystore: Contains the sys_id for the signing certificateglide.authenticate.sso.saml2.encryption.keystore: Contains the sys_id for the encryption certificate Upgrade behavior During the upgrade to Washington DC, the system automatically copies the value from glide.authenticate.sso.saml2.keystore to glide.authenticate.sso.saml2.encryption.keystore. This ensures your existing encryption and signing configuration continues to work after the upgrade. After upgrading to Washington DC, you can configure different certificates for signing and encryption by setting each system property to point to the appropriate certificate sys_id. System property reference Property Before Washington DC Washington DC and later glide.authenticate.sso.saml2.keystore sys_id of the certificate for signing and encryption sys_id of the certificate for signing only glide.authenticate.sso.saml2.encryption.keystore Not available sys_id of the certificate for encryption only Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Install a service provider keystore for signing SAML requests