How do I change the certificate of a Shibboleth service provider?

Nate Klingenstein ndk at internet2.edu
Mon Jul 23 14:19:08 EDT 2012


Chloe,

> Thanks Nate. I was under the impression that the IDP picked and  
> chose which certificate it used for encrypting, and that the SP must  
> be ready to decrypt with any certificate that was currently in the  
> metadata, based on the information I found here:
>
> https://www.switch.ch/aai/docs/shibboleth/SWITCH/sp-certificate-rollover.html

The IdP does, and the SP should.  Your understanding here was  
correct.  However, the rough inverse is also true: the SP can pick and  
choose a certificate it uses for trusted communications, and the IdP  
must trust that certificate for that SP when it's presented based on a  
comparison with the SP's metadata.

> Since I controlled the metadata file on the IDP, I thought I could  
> just comment it out and the IDP would not use it when talking to the  
> SP.

You could, and that would be the the effect.  Your errors relate to  
the SP using an SP certificate that the IdP doesn't trust, not the IdP  
using an SP certificate that the SP doesn't trust.  If that makes any  
sense. :D

> I guess it's the other way around, and the SP sends encrypted  
> messages to the IDP instead.

The SP does utilize its own certificate in communications with the  
IdP(not necessarily to "encrypt messages" specifically, but similar  
idea).  In this specific event, the SP is trying to issue a back- 
channel query for a SAML Artifact to your IdP.  The query is issued  
over a mutually authenticated SSL/TLS tunnel, which means the SP needs  
to present a trusted certificate to the IdP in that conversation.

The IdP will determine whether it trusts that certificate for that SP  
based on metadata.  However, the IdP's web server handles the query  
first, and unless configured to do otherwise, it will decide to reject  
the connection before it even gets to the IdP.

Typically, you'll want to tell the IdP's web server to leave all the  
SSL/TLS trust work to the IdP.  An example of how to do that in a pure  
Tomcat environment is here under "Supporting SOAP Endpoints":

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare

With Apache, you can handle this with SSLVerifyClient optional_no_ca.   
There are several examples on the web, but it's not an officially  
supported deployment configuration.

Finally, you could always teach the IdP's web server to trust the SP's  
certificates.  That's just usually a large configuration hassle that's  
best avoided, though.

Hope this helps,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120723/47a968d8/attachment.html 


More information about the users mailing list