The service provider uses PKI to authenticate signed assertions from and establish secure, mutually identified connections directly with !IdP'sIdPs. The credentials used by the SP for these flows are defined in
Credentials element of
shibboleth.xml. Individual sets of credentials for these purposes are specified on a per relying party and protocol handler (TLS or XML signing) basis. It is important that these credentials match those supplied to relying parties and federations as included in
metadata.xml or trust failures will result.
Sessions between end-users and the webserver/webapps should be SSL-protected in most cases. It is permissible for Shibboleth to use the same keypair and certificate used by the web server itself, provided the certificate is signed by a CA accepted by both the !IdP's IdPs that will be queried for attributes and commonly used browsers. Most well-known roots will satisfy both conditions but many federations will have specifications on accepted credentials.
This particularly applies when sharing the key and certificate used by
mod_ssl , which are only readable by root by default. The password, if any, must be placed in the
shibboleth.xml file, since the Apache module cannot prompt for it during initial startup as
mod_ssl can. Since the password will be stored in clear text in a frequently examined file, it is suggested to use a password not used elsewhere, or preferably not to use a password at all.
<Credentials<Credentials xmlns=""urn:mace:shibboleth:credentials:1.0">"> <FileResolver Id="mycerts"> <Key> <Path>file <FileResolver Id="mycerts"> <Key> <Path>file:/opt/shibboleth-sp/etc/shibboleth/supervillain.key</Path> </Key> <Certificate> <Path>filekey</Path> </Key> <Certificate> <Path>file:/opt/shibboleth-sp/etc/shibboleth/supervillain.crt</Path> </Certificate> </FileResolver> </Credentials>crt</Path> </Certificate> </FileResolver> </Credentials>
This element is the container for credentials used by the credential mechanism specified by the
This mandatory element specifies the path to a file or directory utilized by other elements of the configuration. It may be contained by various elements to point to different types of files required by the SP.