commercial cert for idp

Cantor, Scott cantor.2 at osu.edu
Thu Dec 19 11:47:44 EST 2013


On 12/19/13, 11:38 AM, "Qian, Yi" <yqian at ku.edu> wrote:

>We have shibboleth idp with self signed certificate and federated with
>many SPs, but recently a vendor requires us to use commercial certificate
>for the federation.

You should tell them no. You will be creating outages by doing this on an
annual basis every time you have to renew that certificate and the vendor
blows it. I can practically guarantee that their system doesn't even rely
on the chain and will fail every time you change the certificate on your
end, thus undermining the entire justification for using one. You will
have an annual, manual process with the vendor to deal with changing the
cert.

>I saw on the shib wiki that sp can have credential resolver chaining to
>use multiple cert, I can't find similar topic related to the idp.

There is no chaining. There's a defaultCredentialRef or some such on the
RelyingParty element that sets the signing key. You cannot do this for
back channel profiles, of course.

>Chance of the vendor allowing us to use self signed cert is very low, we
>would like not to set up another Idp just for this vendor. So what is my
>options?

It's your system, so defend it. You will pay the price for the work, not
the vendor.

-- Scott




More information about the users mailing list