Do multiple SPs from the same server each need their own public/private keys?
guillaume.rousse at renater.fr
Fri Aug 17 09:23:05 EDT 2018
Le 17/08/2018 à 14:58, Cody Carmichael a écrit :
> If I have a software product that runs on a server, and this product
> consists of multiple services that provide their own login to a user,
> does each SP need its own public/private key pair? Like for example, if
> I have the following servers:
> So the first server has the following sources of metadata:
> And the second server would have the same. For each server, does each SP
> need its own unique public cert in its metadata or can the SPs on one
> server share just one public/private key pair?
A SAML certificate is bound to a SAML entity, ie a given entityID, not
to a specific SP instance. However, nothing prevents you technicaly to
share the same certificate for multiple entities hosted on the same SP,
or even on different SPs. But using a unique certificate also means than
a compromission, or a rollover issue, affect all applications, whereas
using multiple ones would limit the impact.
Also, if you're using specific SAML profiles involving direct IdP/SP
communications, standard TLS constraints applies, and you have to ensure
consistency between certificate subject and URLs. If you're sharing a
certificat between multiple applications, that's rather unpractical,
even using SubjectAlternativeNames.
Tel: +33 1 53 94 20 45
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
More information about the users