I am using spring security's open saml library for authentication.
My Service Provider is my spring web application configured with spring saml. My IDP is OpenSSO.
In the spring-security-saml2-core library, the JKSKeyManager is never called, but the KeyManager gets called.
So is the library using the .jks keystore file as its keys or the 'apollo/nalle123' as its keys? what's their difference?
The org.springframework.security.saml.key.KeyManager is an interface, org.springframework.security.saml.key.JKSKeyManager is its implementation. So if you see calls to KeyManager, in default configuration it means they're hitting the JKSKeyManager.
The apollo/nalle123 key is stored inside the .jks file (samlKeystore.jks in the sample application), configured to be used by the KeyManager. Apollo is alias of the key in the .jks file, nalle123 is its password.
Spring SAML combines usage of keys provided in the KeyManager and keys supplied in SAML metadata.