Another day, another attribute

[Wynne, David]

Thanks Rod.

I've been working with linux + Apache for many years & already had SSL config already setup so it's a familiar environment for me.

Done as you suggest with certs for the 8443 port pointing to the idp/credentials files.

On the subject of certificates I've always generated a "self-signed" certificate for our Apache webserver as previously it's only been used internally. Do I now need to buy a certificate from a root signing authority like Verisign for our Apache webserver if we want to authenticate with our shibboleth-idp on other Shibboleth SP's other than testshib ? The attributes seem to work on testshib but other SP's might block them because our Apache cert is untrusted.
.


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Rod Widdowson
Sent: 23 November 2012 16:14
To: 'Shib Users'
Subject: RE: Another day, another attribute

I guess that I am surprised that, for a new installation, you are using Apache since it means more work for you.  But that has to be your call.  I will suggest strongly that you test SAML1 since you will need this (as well as SAML2) in the UK federation for a few years yet.

> Shouldn't these credentials be syncronised ? If so, how do I do that ?

Possibly.

You may well want (and it could be your federations recommendation) to use a different certificate for the IdP & port 8443 from the one user for port 443.  Not least of the reasons is to save you the effort of updating everywhere when your browser certificate need renewed.

I would very much recommend that you use the same key/certificates for the
8443 port and the IdP other uses and I would view it as essential these come from the same file.  Configure this by editing the config files to make sure that they point to the same place.  For myself I would edit the httpd config to collect from the IdP config space rather than the other way around.

Rod

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

________________________________
Important Notice: the information in this email and any attachments is for the sole use of the intended recipient(s). If you are not an intended recipient, or a person responsible for delivering it to an intended recipient, you should delete it from your system immediately without disclosing its contents elsewhere and advise the sender by returning the email or by telephoning a number contained in the body of the email. No responsibility is accepted for loss or damage arising from viruses or changes made to this message after it was sent. The views contained in this email are those of the author and not necessarily those of Liverpool John Moores University.