Cannot sign outgoing message as no signing credential is set in the context with EmptyKeyManager

Question

I've set up saml context within my app with initial key manager bean:

<!-- Central storage of cryptographic keys -->
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
    <constructor-arg value="classpath:security/samlKeystore.jks"/>
    <constructor-arg type="java.lang.String" value="nalle123"/>
    <constructor-arg>
        <map>
            <entry key="apollo" value="nalle123"/>
        </map>
    </constructor-arg>
    <constructor-arg type="java.lang.String" value="apollo"/>
</bean>

And this config works fine for my IDP. Namely it successfully authenticates user after incoming SAML messages were verified.

Also, I've tried to simply replace this manager with EmptyKeyManager implementation, but error above appears.

There are few questions that would be good to know before these changes would be deployed to production :).

• How does it work take into account that my IDP knows nothing about imported default public key from samlKeystore.jks?
• How to correctly replace initial implementation of keyManager with EmptyKeyManager in case it is not required for my config?

Answer 1

As you can find in the manual (chapter 8.1), you can only use EmptyKeyManager in case your application doesn't need to create digital signatures. The error you mention suggests Spring SAML does need to create one in your usage pattern. Perhaps you are using HTTP-Artifact binding and require outgoing ArtifactRequest messages to be signed?

The manual also shows the exact line of configuration to replace your current keyManager with the EmptyKeyManager.