How do I change the certificate of a Shibboleth service provider?
Nate Klingenstein
ndk at internet2.edu
Mon Jul 23 14:19:08 EDT 2012
Chloe,
> Thanks Nate. I was under the impression that the IDP picked and
> chose which certificate it used for encrypting, and that the SP must
> be ready to decrypt with any certificate that was currently in the
> metadata, based on the information I found here:
>
> https://www.switch.ch/aai/docs/shibboleth/SWITCH/sp-certificate-rollover.html
The IdP does, and the SP should. Your understanding here was
correct. However, the rough inverse is also true: the SP can pick and
choose a certificate it uses for trusted communications, and the IdP
must trust that certificate for that SP when it's presented based on a
comparison with the SP's metadata.
> Since I controlled the metadata file on the IDP, I thought I could
> just comment it out and the IDP would not use it when talking to the
> SP.
You could, and that would be the the effect. Your errors relate to
the SP using an SP certificate that the IdP doesn't trust, not the IdP
using an SP certificate that the SP doesn't trust. If that makes any
sense. :D
> I guess it's the other way around, and the SP sends encrypted
> messages to the IDP instead.
The SP does utilize its own certificate in communications with the
IdP(not necessarily to "encrypt messages" specifically, but similar
idea). In this specific event, the SP is trying to issue a back-
channel query for a SAML Artifact to your IdP. The query is issued
over a mutually authenticated SSL/TLS tunnel, which means the SP needs
to present a trusted certificate to the IdP in that conversation.
The IdP will determine whether it trusts that certificate for that SP
based on metadata. However, the IdP's web server handles the query
first, and unless configured to do otherwise, it will decide to reject
the connection before it even gets to the IdP.
Typically, you'll want to tell the IdP's web server to leave all the
SSL/TLS trust work to the IdP. An example of how to do that in a pure
Tomcat environment is here under "Supporting SOAP Endpoints":
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare
With Apache, you can handle this with SSLVerifyClient optional_no_ca.
There are several examples on the web, but it's not an officially
supported deployment configuration.
Finally, you could always teach the IdP's web server to trust the SP's
certificates. That's just usually a large configuration hassle that's
best avoided, though.
Hope this helps,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120723/47a968d8/attachment.html
More information about the users
mailing list