Encryption

[Lohr, Donald]

Again, out of my ignorance.

This SP is not a InCommon metadata participating member.

Does my IdP have a "full endpoint-to-endpoint XML (assertion) 
encryption" relationship with the InCommon SP's that we currently use, 
without me doing much of anything on my end?

THX

On 09/04/2014 02:17 AM, Cantor, Scott wrote:
> On 9/4/14, 3:11 AM, "Lohr, Donald" <lohrda at jmu.edu> wrote:
>> Does the vendor support full endpoint-to-endpoint XML (assertion)
>> encryption via the use of a certificate model, compatible with the model
>> supported by Shibboleth?
> We don't have our own model for this, it's simply required by SAML
> implementations. All standard. Just for the record. When communicating
> with vendors, it's usually best to not even mention Shibboleth at all
> because it biases them with excuses about how we must be doing
> non-standard things.
>
>> For starters, my Shibboleth 2.x knowledge is very limited, I'm a newby.
>> The above question is from a previous Shibboleth admin. I do not fully
>> understand this question we asked
>> the integrator.
> SAML long ago deprecated the back-channel as an exchange path. Your
> assertion travels from the IdP through the browser to the SP. The data
> there is readable. XML Encryption makes it much harder to read if there's
> malware in the client.
>
>> My question for the group, does Shibboleth 2.x support x509 signature and
>> certificate validation.
> Yes, but the IdP isn't validating the signature, it's creating it. And you
> don't want the vendor doing X.509 anything, you want them pulling the key
> out of the certificate you give them or from the metadata if by some
> miracle they support metadata, and using that directly. The workaround for
> them not doing that is using long-lived certificates that are self-signed
> to prevent mistakes.
>
> -- Scott
>

-- 
D o n a l d   L o h r

i n f o r m a t i o n   s y s t e m s
j a m e s   m a d i s o n   u n i v e r s i t y

5 4 0 . 5 6 8 . 3 7 3 0