Cantor, Scott cantor.2 at osu.edu
Thu Sep 4 02:17:13 EDT 2014

On 9/4/14, 3:11 AM, "Lohr, Donald" <lohrda at jmu.edu> wrote:
>Does the vendor support full endpoint-to-endpoint XML (assertion)
>encryption via the use of a certificate model, compatible with the model
>supported by Shibboleth?

We don't have our own model for this, it's simply required by SAML
implementations. All standard. Just for the record. When communicating
with vendors, it's usually best to not even mention Shibboleth at all
because it biases them with excuses about how we must be doing
non-standard things.

>For starters, my Shibboleth 2.x knowledge is very limited, I'm a newby.
>The above question is from a previous Shibboleth admin. I do not fully
>understand this question we asked
> the integrator.

SAML long ago deprecated the back-channel as an exchange path. Your
assertion travels from the IdP through the browser to the SP. The data
there is readable. XML Encryption makes it much harder to read if there's
malware in the client.

>My question for the group, does Shibboleth 2.x support x509 signature and
>certificate validation.

Yes, but the IdP isn't validating the signature, it's creating it. And you
don't want the vendor doing X.509 anything, you want them pulling the key
out of the certificate you give them or from the metadata if by some
miracle they support metadata, and using that directly. The workaround for
them not doing that is using long-lived certificates that are self-signed
to prevent mistakes.

-- Scott

More information about the users mailing list