updating SP's signing cert in metadata

Tom Scavo trscavo at gmail.com
Fri Oct 13 11:18:02 EDT 2017

On Fri, Oct 13, 2017 at 5:13 AM, Peter Schober
<peter.schober at univie.ac.at> wrote:
> * IAM David Bantz <dabantz at alaska.edu> [2017-10-12 20:45]:
>> metadata markup says the cert is for signing; can I rely on that?
> Well, you could check if their messages are in fact signed.

It's not that simple. A KeyDescriptor with use="signing" is used for
authentication at the TLS layer as well. For example, if the SP
metadata contains an AssertionConsumerService endpoint that supports
the HTTP-Artifact binding, a "signing" certificate is needed to
resolve an artifact at the IdP.


More information about the users mailing list