Use different SigningCredential per Service Provider

Klingenstein, Nate nklingenstein at calstate.edu
Sun Jan 15 22:06:44 EST 2017


??,

I think you understand the reasons why multiple signing credentials are bad: the exact situation that you're in right now.  Scott was just trying to warn you to prevent you from ending up in that situation.

Since you're already in that bad situation, let's help you out of it.  You'll need to do 3 major things:

1)  Create special signing credentials bean in credentials.xml
2)  Define a special Security Configuration that points to that bean
3)  Refer to that Security Configuration from a RelyingPartyByName Override

See particularly per-profile Credential in Signing and Encryption Configuration here:

https://wiki.shibboleth.net/confluence/display/IDP30/SecurityConfiguration

Obviously, in the future, you'll want to consolidate your keypair and other credential usage to the extent possible.

???????????,
Nate.

On 01/16/2017 02:49 AM, ???? wrote:
Hi

I appreciate your reply.

In this case,I must migrate Shibboleth idp V2 to V3.
(Currently Shibboleth idp v2 is in use)

Because multiple signing credential is
now in use in Shibboleth idp v2,I must migrate this settings
to v3.

If multiple signing credential is not migrated to v3,
the impact is large because changeing the
metadata of some SPs is needed.

Could you tell me the way how I Use different
SigningCredential per Service Provider?


2017-01-11 1:34 GMT+09:00 Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>>:
On 1/10/17, 11:20 AM, "users on behalf of ????" <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> on behalf of ntakei at sios.com<mailto:ntakei at sios.com>> wrote:

> I coud not find the solution in Shibboleth Wiki.

It's in the SecurityConfiguration topic. It is fairly complex to wire up, and this is something you should strongly reconsider doing in most cases, it's not a good idea. It usually reflects a lack of understanding by somebody somewhere. It's critically important to push back on requirements dictated by people who don't know what they're doing or why.

-- Scott


--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>



--
??...???????????????????????...?
???????????????
?????
?????????????????
???????
???106-0047? ??????????? 12 ? 3 ? ??????
??TEL?03-6401-5314 (??) 03-6401-5117 (???)
??URL?http://www.sios.com/

??SIOS????????????????????????????
?(SIOS Technology)?http://www.facebook.com/SIOSTechnology
?(OSS??????)?http://www.facebook.com/OSSyorozu

??Twitter????????
?https://twitter.com/#!/SIOS_Technology<https://twitter.com/#%21/SIOS_Technology>
??...???????????????????????...?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170116/a878461f/attachment-0001.html>


More information about the users mailing list