users Digest, Vol 77, Issue 113
Cheltenham, Chris
ccheltenham-ext at philasd.org
Wed Nov 29 10:54:06 EST 2017
All the certs are different yes.
And I would assume it is the one generated by the Shib 3.2.1. install.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of
users-request at shibboleth.net
Sent: Wednesday, November 29, 2017 10:37 AM
To: users at shibboleth.net
Subject: users Digest, Vol 77, Issue 113
Send users mailing list submissions to
users at shibboleth.net
To subscribe or unsubscribe via the World Wide Web, visit
http://shibboleth.net/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at shibboleth.net
You can reach the person managing the list at
users-owner at shibboleth.net
When replying, please edit your Subject line so it is more specific than
"Re: Contents of users digest..."
Today's Topics:
1. Re: SHib 3.2.1 (Peter Schober)
2. RE: users Digest, Vol 77, Issue 112 (Cheltenham, Chris)
3. Re: Load Balancing Shibboleth (Peter Schober)
4. Re: Load Balancing Shibboleth (Cantor, Scott)
----------------------------------------------------------------------
Message: 1
Date: Wed, 29 Nov 2017 15:41:25 +0100
From: Peter Schober <peter.schober at univie.ac.at>
To: users at shibboleth.net
Subject: Re: SHib 3.2.1
Message-ID: <20171129144125.x27wueociwrtbm5s at aco.net>
Content-Type: text/plain; charset=us-ascii
* Cheltenham, Chris <ccheltenham-ext at philasd.org> [2017-11-29 15:23]:
> Does anyone know why there are multiple certificates in our metadata?
>
> There are 5 to be exact
They're not /all/ different, though, right?
-peter
------------------------------
Message: 2
Date: Wed, 29 Nov 2017 09:47:11 -0500 (EST)
From: "Cheltenham, Chris" <ccheltenham-ext at philasd.org>
To: <users at shibboleth.net>
Subject: RE: users Digest, Vol 77, Issue 112
Message-ID: <007601d36920$f024cd50$d06e67f0$@philasd.org>
Content-Type: text/plain; charset="us-ascii"
Hello,
I apologize.
>Which metadata? A meaningless file on disk? Metadata registered witha
federation? Metadata some partner has loaded?
Answer - I am referring to OUR IDP metadata that we give to the SP's.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of
users-request at shibboleth.net
Sent: Wednesday, November 29, 2017 9:35 AM
To: users at shibboleth.net
Subject: users Digest, Vol 77, Issue 112
Send users mailing list submissions to
users at shibboleth.net
To subscribe or unsubscribe via the World Wide Web, visit
http://shibboleth.net/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at shibboleth.net
You can reach the person managing the list at
users-owner at shibboleth.net
When replying, please edit your Subject line so it is more specific than
"Re: Contents of users digest..."
Today's Topics:
1. SHib 3.2.1 (Cheltenham, Chris)
2. Re: SHib 3.2.1 (Cantor, Scott)
3. Re: SHib 3.2.1 (Tom Scavo)
----------------------------------------------------------------------
Message: 1
Date: Wed, 29 Nov 2017 09:22:17 -0500 (EST)
From: "Cheltenham, Chris" <ccheltenham-ext at philasd.org>
To: <users at shibboleth.net>
Subject: SHib 3.2.1
Message-ID: <005001d3691d$75a4f7b0$60eee710$@philasd.org>
Content-Type: text/plain; charset="us-ascii"
Hello,
I inherirted a Shib environment and don't know a whole lot about it.
Its Shib 3.2.1
Does anyone know why there are multiple certificates in our metadata?
There are 5 to be exact
They are all labeled key descriptor.
Like this .
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://shibboleth.net/pipermail/users/attachments/20171129/523ce996/attac
hment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1089 bytes
Desc: not available
URL:
<http://shibboleth.net/pipermail/users/attachments/20171129/523ce996/attac
hment-0001.gif>
------------------------------
Message: 2
Date: Wed, 29 Nov 2017 14:34:03 +0000
From: "Cantor, Scott" <cantor.2 at osu.edu>
To: Shib Users <users at shibboleth.net>
Subject: Re: SHib 3.2.1
Message-ID: <2F4C3CBC-1CA7-4732-9EC1-27B91C049882 at osu.edu>
Content-Type: text/plain; charset="utf-8"
On 11/29/17, 9:22 AM, "users on behalf of Cheltenham, Chris"
<users-bounces at shibboleth.net on behalf of ccheltenham-ext at philasd.org>
wrote:
> Does anyone know why there are multiple certificates in our metadata?
Which metadata? A meaningless file on disk? Metadata registered witha
federation? Metadata some partner has loaded?
Metadata has to be given to other partners via a variety of
good/bad/secure/insecure practices ranging from federations like InCommon
or the absolute "never do this" approach of pointing people at unsigned
metadata coming out of the IdP.
There are different keys used for different functions, not all of which
are needed or may be in use. The only near certainty is that you have a
signing key being used and the metadata has to contain it. That assumes
you're actually using one and only one for all partners.
And then there's key rollover and the possibility of pre-communicating
keys before they're put into use.
[1] is the summary of all of this.
Your first step is to read the documentation so you have an understanding
of what all the keys are and are used for, and compare them to what's in
the metadata, but before you can even do that, you have to know how your
metadata is actually communicated to all of your partners. And none of
them should involve any file the IdP generated and if they do, you should
fix that as part of cleaning up this mess.
-- Scott
[1]
https://wiki.shibboleth.net/confluence/display/IDP30/SecurityAndNetworking
------------------------------
Message: 3
Date: Wed, 29 Nov 2017 09:35:06 -0500
From: Tom Scavo <trscavo at gmail.com>
To: Shib Users <users at shibboleth.net>
Subject: Re: SHib 3.2.1
Message-ID:
<CAEtu=dPQ76uw3OEyCYL3CT7TrD0w3XGeumCjKSMg2Y6-dtFYFw at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
On Wed, Nov 29, 2017 at 9:22 AM, Cheltenham, Chris
<ccheltenham-ext at philasd.org> wrote:
>
> Does anyone know why there are multiple certificates in our metadata?
Who knows? They are probably left over from incomplete or failed key
rollover attempts.
> There are 5 to be exact
You don't need that many in any case.
> They are all labeled key descriptor.
>
> <KeyDescriptor use="signing">
The first thing you need to do is determine which of the certificates in
metadata correspond to your private SAML signing key. The rest are
superfluous (assuming your SP partners have the most recent copy of your
metadata).
Is there some reason why your metadata is not published in InCommon?
That would help prevent the situation you're in.
You should start by reading section "Keys and Certificates" in this wiki
page:
SecurityAndNetworking
https://wiki.shibboleth.net/confluence/x/VoEOAQ
HTH,
Tom
------------------------------
Subject: Digest Footer
--
For Consortium Member technical support, see
https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net
------------------------------
End of users Digest, Vol 77, Issue 112
**************************************
------------------------------
Message: 3
Date: Wed, 29 Nov 2017 16:28:12 +0100
From: Peter Schober <peter.schober at univie.ac.at>
To: users at shibboleth.net
Subject: Re: Load Balancing Shibboleth
Message-ID: <20171129152812.6hddpotv7tc6xbr7 at aco.net>
Content-Type: text/plain; charset=us-ascii
* Cantor, Scott <cantor.2 at osu.edu> [2017-11-27 19:20]:
> given that I won't be monitoring this list much or at all soon.
I hope the wider community is aware of this and will massively step up
their/our collective support efforts, answering questions, sharing Best
Practice examples (on the list and in the wiki), etc.
Either way I fear this list will be pretty much useless soon.
(Formal support via tickets for paying consortium members is fine for some
use cases I guess, not so much for general discussion of features and
approaches. As it is the software already has [too] many advanded features
that far too few people know how to use, IMHO.)
Anyway, we'll see.
-peter
------------------------------
Message: 4
Date: Wed, 29 Nov 2017 15:36:46 +0000
From: "Cantor, Scott" <cantor.2 at osu.edu>
To: Shib Users <users at shibboleth.net>
Subject: Re: Load Balancing Shibboleth
Message-ID: <D38EEF10-56FB-4BD1-B652-2E373BA6DF46 at osu.edu>
Content-Type: text/plain; charset="utf-8"
On 11/29/17, 10:28 AM, "users on behalf of Peter Schober"
<users-bounces at shibboleth.net on behalf of peter.schober at univie.ac.at>
wrote:
> Either way I fear this list will be pretty much useless soon.
Well, what I would personally advise is that people focus on answering
good questions and not much on coddling consultants who think they're owed
a total handholding experience, but people will have to make their own
calls on that.
I should have stated more precisely that I probably will continue to
monitor for questions that I think are reasonably important and worth
answering, but I won't be answering questions I think the documentation
answers or that have nothing to do with Shibboleth. And I definitely won't
respond to anything that relates to unsupported versions of the software.
But it's going to take time for me to find a balance that makes sense. The
plain fact is that people value that support and are paying for it, so for
now at least, this change did what it was meant to do to ensure a more
stable future.
> (Formal support via tickets for paying consortium members is fine for
> some use cases I guess, not so much for general discussion of features
> and approaches. As it is the software already has [too] many advanded
> features that far too few people know how to use, IMHO.)
Those are the kinds of things I probably will be willing to address at
least briefly, and it's also why we created the Slack option for members.
Also, I would much rather see How To pages in the wiki that address the
more advanced options. And I'll try and use some of the extra time to
clean some of those up (e.g. the ECP material that was put there that's
completely wrong).
-- Scott
------------------------------
Subject: Digest Footer
--
For Consortium Member technical support, see
https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net
------------------------------
End of users Digest, Vol 77, Issue 113
**************************************
More information about the users
mailing list