How to sign the IdP metadata?
WULMS Alex
Alex.WULMS at swift.com
Thu Nov 29 04:14:32 EST 2012
Hi,
Thanks for the pointers. I have managed to sign it with the XmlSecTool.
They claim that the service provider implementation that they use mandates a signed metadata file and gives a security error when it is provided with an unsigned one. I assume it is some configuration issue on their side but don't want to go into a lengthy fight on which party (us or them) has to "fix" the issue. It will take me less time to simply provide them with a signed metadata file.
Thanks and kind regards,
Alex
-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: Wednesday, November 28, 2012 4:18 PM
To: users at shibboleth.net
Subject: Re: How to sign the IdP metadata?
* Ian Young <ian at iay.org.uk> [2012-11-28 16:11]:
> On 28 Nov 2012, at 15:07, WULMS Alex <Alex.WULMS at swift.com> wrote:
> > Do you know of some existing tool or script that I can use to sign
> > it with our private key?
>
> You could try this:
>
> https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool
Or samlsign from
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPCommandLine
> Having said which, I'm not clear why the SP in question thinks they
> want metadata you're giving them out of band signed. Or are they
> proposing to pick it up dynamically?
Either that or maybe they're even thinking PKIX path verification on the signing cert. Never hurts to ask why (even though I doubt they'd answer "security theatre" even if that'd be the case :) -peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list