The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

IdPPKIXTrustedName

Owned by Brent Putman
Last updated: May 02, 2011Version comment
1 min read

Define Trusted Name Information

Trusted name information is used when performing PKIX validation on X.509 certificates. The trusted name values specify names against which the target entity certificate's public key must be bound in the certificate in order for trust processing to be successful. This is used to constrain the certificates that are valid for a particular usage context to those that were issued with a particular name or names.

The static trust engine variants may optionally contain one or more TrustedName elements.

The certificate name formats which are supported for trusted name evaluation are:

  1. The subject DN in RFC 2253 or RFC 1779 format
  2. The CN component of the subject DN
  3. Subject alt names (DNS and URI types)

The trusted name value is matched against the subject DN, the CN of the subject DN and any DNS and URI v3 subject alternative names extensions which are present in the certificate. (A URI subject alt name would typically be a SAML entityID). If the trusted name matches one of these values extracted from the certificate, the certificate name processing is successful.

If multiple instances of this element are present, certificate name processing is successful if the target entity certificate matches at least one of them.

Examples
<!-- Subject DN in RFC 2253 format-->
<TrustedName>CN=idp.example.org,DC=example,DC=org</TrustedName>
<!-- Subject CN component or DNS subject alt name-->
<TrustedName>idp.example.org</TrustedName>
<!-- URI subject alt name in URL syntax-->
<TrustedName>https://sp.example.org/shibboleth</TrustedName>