question about Service Provider Cert

Paul Hethmon paul.hethmon at clareitysecurity.com
Tue Feb 12 11:47:54 EST 2013


My understanding is you should only need the private certificate to decrypt, but I cannot say I've done this a lot.

Paul

From: Carl Buxbaum <cbuxbaum at tradestonesoftware.com<mailto:cbuxbaum at tradestonesoftware.com>>
Reply-To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Tuesday, February 12, 2013 11:30 AM
To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: RE: question about Service Provider Cert

Hi Paul,

We have an option to encrypt the Assertion, so the IDP needs our cert.  The SP side just needs the private key to decrypt the assertions?  No need to import the Cert on the SP side?  Or will the SP not decrypt without both the Cert and the private key?

Thanks,

Carl

From: users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> [mailto:users-bounces at shibboleth.net] On Behalf Of Paul Hethmon
Sent: Tuesday, February 12, 2013 11:25 AM
To: Shib Users
Subject: Re: question about Service Provider Cert

Sounds right. You just furnish them with the signed public key, let them figure out how to store it.

Since you're doing IdP initiated SSO, are you encrypting attributes then with the certs? Otherwise, I don't see a need to even have a cert on the SP side.

Paul

From: Carl Buxbaum <cbuxbaum at tradestonesoftware.com<mailto:cbuxbaum at tradestonesoftware.com>>
Reply-To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Tuesday, February 12, 2013 11:05 AM
To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: RE: question about Service Provider Cert

Thanks for the reply.  Yes, I am referring to the former, and although we are doing IDP initiated SSO and there will be no communication from the SP back to the IDP, the customer insists that the cert be signed.  So the signed cert gets reimported back into the keystore and placed in the metadata (or whatever they use to configure their IDP).  And I gather that, if the  public/private key is created outside of keytool, then the customer will be able to download the private key from the CA and import that into our keystore as well.  I forgot to mention that we are using the OpenSAML 2.0 API, and not the Shibolleth SP.

Thanks,

Carl

From:users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> [mailto:users-bounces at shibboleth.net] On Behalf Of Paul Hethmon
Sent: Monday, February 11, 2013 4:04 PM
To: Shib Users
Subject: Re: question about Service Provider Cert

Carl,

Are you referring to the public/private key used by Shibboleth SP to sign authentication requests? Or are you referring to an SSL certificate used to provide confidentiality to your web server? If the later, then Shibboleth does not care. The transport layer security is before Shib gets involved. You can secure it as you would any SSL protected site.

If the former, you'll need to create your private key, then a certificate signing request, and then have a commercial CA sign it. Then you will have the private key and signed public key to use in your Shibboleth configuration. Note that Shibboleth does not care about SAML signing keys being "signed" by a commercial CA. Also note it adds no additional trust or security to do so. Trust is established by you furnishing your public key to the IdP by an out of band process and them trusting it was you that furnished it. Having a commercial CA sign that key adds no value. It does however cause you to keep up with its expiration date year in and year out.

Paul

From: Carl Buxbaum <cbuxbaum at tradestonesoftware.com<mailto:cbuxbaum at tradestonesoftware.com>>
Reply-To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Monday, February 11, 2013 3:31 PM
To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: question about Service Provider Cert

Hi,

I am trying to get a handle on the certificate installation for a Service Provider implementation.  I successfully developed and tested a SP  IDP initiated SSO implementation using a self signed certificate against the Shibboleth IDP, but the customer requires a CA issued cert.  According to the documentation of the CA, they talk about generating a cert request, and then importing the entire certificate chain into my SP keystore.  Since I already have the private key in my keystore, do I really need to import anything else after running keytool –genkey? Do I need to import the resulting cert into the IDP?  And the rest of the cert chain? Or do I just take the resulting cert and place it in the metadata for the Identity Provider?  The Identity Provider they are using is PingFederate.

Thanks for the help.

Carl  Buxbaum
Software Architect
TradeStone Software
17 Rogers St. Suite 2; Gloucester, MA 01930
P: 978-515-5128 F : 978-281-0673
www.tradestonesoftware.com<http://www.tradestonesoftware.com>


DISCLAIMER:
E-mails and attachments from TradeStone Software, Inc. are confidential.
If you are not the intended recipient, please notify the sender immediately by
replying to the e-mail, and then delete it without making copies or using it
in any way. No representation is made that this email or any attachments are
free of viruses. Virus scanning is recommended and is the responsibility of
the recipient.

DISCLAIMER:
E-mails and attachments from TradeStone Software, Inc. are confidential.
If you are not the intended recipient, please notify the sender immediately by
replying to the e-mail, and then delete it without making copies or using it
in any way. No representation is made that this email or any attachments are
free of viruses. Virus scanning is recommended and is the responsibility of
the recipient.

DISCLAIMER:
E-mails and attachments from TradeStone Software, Inc. are confidential.
If you are not the intended recipient, please notify the sender immediately by
replying to the e-mail, and then delete it without making copies or using it
in any way. No representation is made that this email or any attachments are
free of viruses. Virus scanning is recommended and is the responsibility of
the recipient.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130212/1090130d/attachment-0001.html 


More information about the users mailing list