Describe SAML supported private key format and encryption algorithm

OpenSearch allows signing requests by using a private key in the PKCS#8 format. If a user wants to use an encrypted key, the key must be encrypted with a PKCS#12-compatible algorithm. The `SAML -> Request signing` documentation is extended with the requirements. It should save time of the customers who use wrong key formats or a good key format, but encrypted with an unsupported algorithm (e.g. PKCS#5 2.0 compatible algorithm). Signed-off-by: Adam Gabrys <adam.gabrys@live.com>
opensearch-project · Mar 17, 2023 · 2388656 · 2388656
1 parent 98ed839
commit 2388656
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/_security/authentication-backends/saml.md b/_security/authentication-backends/saml.md
@@ -161,6 +161,8 @@ Name | Description
 `sp.signature_private_key_filepath` | Path to the private key. The file must be placed under the OpenSearch `config` directory, and the path must be specified relative to that same directory.
 `sp.signature_algorithm` | The algorithm used to sign the requests. See the next table for possible values.
 
+The private key must be in PKCS#8 format. If you want to use an encrypted key, it must be encrypted with a PKCS#12-compatible algorithm (3DES).
+
 The security plugin supports the following signature algorithms.
 
 Algorithm | Value