ndk at internet2.edu
Sun Aug 9 02:02:29 EDT 2015
That helps tremendously. I have been testing with the fingerprint of my encryption certificate. In the service it says the SHA-1 is the encryption and signing certificate.
It’s possible to use different certificates for encryption and signature. It wasn’t a common case prior to the release of IdPv3, but I think they were probably trying to accommodate that. As an IdP, your signing certificate is almost always the relevant one.
Does this mean in the metadata I include both xml objects to link signature and encryption as the same values as my X.509 signing certificate?
If I were to guess and reword this as “does this mean that I should enter my signing certificate’s SHA-1 hash into the fields on their webpage”, then I would say yes. I’m not quite sure how to interpret your question as stated.
In other words, I tell my metadata-less friends about my encryption and singing certificates but they are both actually the cat of my signing certificate.
Well, the hash isn’t just the entire base64-encoded printed raw value. It’s a specific field. You can find that field using tools like openssl.
My browser certificate will be different than my IDP certificate. I am behind a load balancer that provides https certs, is this a problem?
No, generally it’s a good thing because it gives you more flexibility in management of each certificate and won’t need to roll over your IdP certificate with frequency. It’s a deployment decision, though.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users