Generate key


The Generate Key filter enables you to generate an asymmetric key pair, or a symmetric key. The generated keys are placed in message attributes, which are then available for consumption by other filters.

A typical use case for this filter is in conjunction with the Security Token Service Client filter. For example, you wish to request a SAML token with a symmetric proof-of-possession key from an STS. You need to provide the key material to the STS as a binary secret, which is the private key of an asymmetric key pair. You can use an asymmetric private key generated on-the-fly instead of from the Certificate Store with an associated certificate.

You must configure the Generate Key filter in a Security Token Service Client filter policy that runs before the WS-Trust request is created. You can then configure the Security Token Service Client filter to consume the generated asymmetric private key. For more details, see STS client authentication.

Note   An asymmetric key pair generated by the Generate Key filter can also be used by the Security Token Service Client filter when a proof-of-possession key of type PublicKey is requested. The generated public key can be used as the UseKey in the request to the STS.


Complete the following fields to configure this filter:

Enter an appropriate name for the filter to display in a policy.

Key Type:
Select the key type from the drop-down list. Defaults to RSA Asymmetric Key Pair. You can also select Symmetric Key, which is based on Hash-based Message Authentication Code - Secure Hash Algorithm (HMAC-SHA1).

Key Size:
Enter the key size in bits. Defaults to 2048 bits.

Related Links