Will shibboleth IDP check whether the SP's cert is issued by a trusted CA ?

Adam Dong adamdong at vidder.com
Tue Nov 25 21:01:08 EST 2014


When Shibboleth IDP verifies the signature of a AuthnRequest from the SP, it will use the SP's signing cert in sp-metadata.xml file to verify the signature.

Now my questions are: During the validation, will IDP check that SP's signing cert (non-self-signed) is issued by a trusted root CA ? If yes, where is the truststore so that I could import the root CA cert ? Or the fact that the SP's signing cert is in sp-metadata.xml file (placed under metadata/ in shibboleth IDP's installation directory) is enough of a trust already, and Shibboleth IDP code won't check the issuer and there is no need to import root CA cert ?

Adam Dong
Vidder, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20141126/77ac0a4d/attachment.html 

More information about the users mailing list