Freshdesk SSO

[Nate Klingenstein]

Brandon,

That helps tremendously. I have been testing with the fingerprint of my encryption certificate. In the service it says the SHA-1 is the encryption and signing certificate.

It’s possible to use different certificates for encryption and signature.  It wasn’t a common case prior to the release of IdPv3, but I think they were probably trying to accommodate that.  As an IdP, your signing certificate is almost always the relevant one.

Does this mean in the metadata I include both xml objects to link signature and encryption as the same values as my X.509 signing certificate?

If I were to guess and reword this as “does this mean that I should enter my signing certificate’s SHA-1 hash into the fields on their webpage”, then I would say yes.  I’m not quite sure how to interpret your question as stated.

In other words, I tell my metadata-less friends about my encryption and singing certificates but they are both actually the cat of my signing certificate.

Well, the hash isn’t just the entire base64-encoded printed raw value.  It’s a specific field.  You can find that field using tools like openssl.

My browser certificate will be different than my IDP certificate. I am behind a load balancer that provides https certs, is this a problem?

No, generally it’s a good thing because it gives you more flexibility in management of each certificate and won’t need to roll over your IdP certificate with frequency.  It’s a deployment decision, though.

Take care,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150809/ed4c4182/attachment.html>