Child pages
  • SPPKIConfig

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: style/formatting

...

The service provider uses PKI to authenticate signed assertions from and establish secure, mutually identified connections directly with !IdP'sIdPs. The credentials used by the SP for these flows are defined in Credentials element of shibboleth.xml. Individual sets of credentials for these purposes are specified on a per relying party and protocol handler (TLS or XML signing) basis. It is important that these credentials match those supplied to relying parties and federations as included in metadata.xml or trust failures will result.

Sessions between end-users and the webserver/webapps should be SSL-protected in most cases. It is permissible for Shibboleth to use the same keypair and certificate used by the web server itself, provided the certificate is signed by a CA accepted by both the !IdP's IdPs that will be queried for attributes and commonly used browsers. Most well-known roots will satisfy both conditions but many federations will have specifications on accepted credentials.

...

This particularly applies when sharing the key and certificate used by mod_ssl , which are only readable by root by default. The password, if any, must be placed in the shibboleth.xml file, since the Apache module cannot prompt for it during initial startup as mod_ssl can. Since the password will be stored in clear text in a frequently examined file, it is suggested to use a password not used elsewhere, or preferably not to use a password at all.

Example usage:

Code Block
&lt;Credentials<Credentials xmlns=&quot;"urn:mace:shibboleth:credentials:1.0&quot;&gt;">
 	&lt;FileResolver Id=&quot;mycerts&quot;&gt;
		&lt;Key&gt; 
			&lt;Path&gt;file   <FileResolver Id="mycerts">
        <Key>
            <Path>file:/opt/shibboleth-sp/etc/shibboleth/supervillain.key&lt;/Path&gt;
		&lt;/Key&gt;
		&lt;Certificate&gt;
			&lt;Path&gt;filekey</Path>
        </Key>
        <Certificate>
            <Path>file:/opt/shibboleth-sp/etc/shibboleth/supervillain.crt&lt;/Path&gt;
		&lt;/Certificate&gt;
	&lt;/FileResolver&gt;
&lt;/Credentials&gt;crt</Path>
        </Certificate>
    </FileResolver>
</Credentials>

<Credentials xmlns="urn:mace:shibboleth:credentials:1.0">

This element is the container for credentials used by the credential mechanism specified by the SPConfig element. It must contain one FileResolver element for flat key and certificate files or one KeyStoreResolver element for compound keystores.

...

<Path>pathname</Path>

This mandatory element specifies the path to a file or directory utilized by other elements of the configuration. It may be contained by various elements to point to different types of files required by the SP.

%COMMENT%