ndk at internet2.edu
Sat Aug 8 20:57:32 EDT 2015
Generally, you wouldn’t modify your metadata or perform any algorithm over your metadata. I would presume that they’re asking for the SHA-1 fingerprint of your IdP’s X.509 signing certificate as registered with federated partners. You just need to pull the proper certificate out of your metadata and parse out the SHA-1 fingerprint therein for your metadata-less friends here.
The raw certificate data is placed in the metadata directly with standard base64 encoding. Grab that data, and check what the embedded hash is. You can find your certificate’s hashes using openssl’s command line tools, or any number of other tools. Basically, cat it out, adorn it with the sacred BEGIN CERTIFICATE and END CERTIFICATE, and then run whatever tool you’d like(e.g. openssl x509 -in certificate.crt -text -noout). You can also just find it in your web browser if it’s the same as your user-facing TLS certificate.
Hope this helps,
> On Aug 8, 2015, at 5:54 PM, Martin, Brandon L <martinb at psd401.net> wrote:
> Thank you for the advice. That was as my initial course of action, but I didn't understand why I was still having issues. Their admin interface accepts a SHA-1 fingerprint from your identity provider. When I use the XML metadata I created, I get the error the fingerprint didn't match. The certificate in the metadata should be generated from the SHA-1 fingerprint I give to my party?
> Brandon Martin
> Data Integration Analyst
> Peninsula School District Tech Support
> Phone: (253) 530-3712
> On Aug 8, 2015, at 4:22 PM, Nate Klingenstein <ndk at internet2.edu> wrote:
>> You’ll probably want to mock up a metadata entry on their behalf and load it into your SP. Changes to the anonymous relying party behavior can result in an extremely promiscuous IdP.
>> You might find the annotated example SP here to be useful as a starting point:
>> Hope this helps,
>>> On Aug 8, 2015, at 4:59 PM, Martin, Brandon L <martinb at psd401.net> wrote:
>>> Hello again Shibboleth users,
>>> I am working with Freshdesk as an SSO party. They don't provide a metadata file, so I am under the impression they need to be setup as an AnonymousRelyingParty. I found the following code to setup an anonymous party, but it looks to be Shibboleth V2. I've read through UpgradingFromV2 but I still do not understand the conversion and am having a hard time finding examples.
>>> <AnonymousRelyingParty provider="https://psdts.freshdesk.com/login/saml"
>>> defaultSigningCredentialRef="IdPCredential" />
>>> <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
>>> Is this possible in Shibboleth V3?
>>> Thank you
>>> Brandon Martin
>>> martinb at psd401.net
>>> Peninsula School District
>>> Data Integration Analyst
>>> Ext: 3712
>>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users