Help with StaticPKIX test
Jonathan Bricker
jbricker at exacttarget.com
Wed Sep 7 15:44:46 BST 2011
The problem I'm trying to solve with this is an expired signing cert in the IDP metadata. Because of the setup we have with the metadata from the IDPs, the validUntil attribute did not seem practical (We do not have the SP pull the metadata from the IDPs automatically).
I would be interested in hearing how others have solved this problem.
-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Wednesday, September 07, 2011 9:57 AM
To: users at shibboleth.net
Subject: Re: Help with StaticPKIX test
On 9/7/11 8:23 AM, "Jonathan Bricker" <jbricker at exacttarget.com> wrote:
>I¹m trying to set up a StaticPKIX trust engine on our SP. This is the
>first time I¹ve done this with Shibboleth. I¹m getting a
>ProfileException that the signature cannot be verified. This is all in a
>sandbox so I have complete control over my setup.
The purpose of that trust engine is for verifying metadata, not for SAML
message use.
>
>One question would be my metadata from the Idp. I do not see attributes
>in the KeyDescriptors or KeyInfo tags. I assume that this is a config
>problem on the Idp. How can I make sure that key names from the cert are
>passed so the PKIX will work?
That trust engine doesn't rely on metadata, which is why it's used for
different things. I don't know offhand how or whether it would work in
other contexts. In principal it would not unless the certificate contained
the entityID of the message issuer in every case.
-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list