From 176d1d8090df701b993d52b318b1cf94eb058ecc Mon Sep 17 00:00:00 2001 From: "opensearch-trigger-bot[bot]" <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Date: Thu, 18 May 2023 12:10:17 -0500 Subject: [PATCH] Describe SAML supported private key format and encryption algorithm (#1855) (#4109) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenSearch allows signing requests by using a private key in the PKCS#8 format. If a user wants to use an encrypted key, the key must be encrypted with a PKCS#12-compatible algorithm. The `SAML -> Request signing` documentation is extended with the requirements. It should save time of the customers who use wrong key formats or a good key format, but encrypted with an unsupported algorithm (e.g. PKCS#5 2.0 compatible algorithm). (cherry picked from commit b52424e67be3e60e44f079f83718ea1649d05165) Signed-off-by: Adam Gabryƛ Signed-off-by: github-actions[bot] Co-authored-by: github-actions[bot] --- _security/authentication-backends/saml.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/_security/authentication-backends/saml.md b/_security/authentication-backends/saml.md index e3406a0c81..234e406f06 100755 --- a/_security/authentication-backends/saml.md +++ b/_security/authentication-backends/saml.md @@ -176,6 +176,8 @@ Name | Description `sp.signature_private_key_filepath` | Path to the private key. The file must be placed under the OpenSearch `config` directory, and the path must be specified relative to that same directory. `sp.signature_algorithm` | The algorithm used to sign the requests. See the next table for possible values. +The private key must be in PKCS#8 format. If you want to use an encrypted key, it must be encrypted with a PKCS#12-compatible algorithm (3DES). + The Security plugin supports the following signature algorithms. Algorithm | Value