Do multiple SPs from the same server each need their own public/private keys?
Guillaume Rousse
guillaume.rousse at renater.fr
Fri Aug 17 09:23:05 EDT 2018
Le 17/08/2018 à 14:58, Cody Carmichael a écrit :
> If I have a software product that runs on a server, and this product
> consists of multiple services that provide their own login to a user,
> does each SP need its own public/private key pair? Like for example, if
> I have the following servers:
>
> https://mySP.awesome.net
> https://myOtherSP.awesome.net
>
>
> So the first server has the following sources of metadata:
>
> https://mySP.awesome.net/rest/v2/sso/messege/shibboleth/metadata
> https://mySP.awesome.net/rest/v2/sso/admin/shibboleth/metadata
> https://mySP.awesome.net/rest/v2/sso/mobileclient/shibboleth/metadata
> https://mySP.awesome.net/rest/v2/sso/othermobileclient/shibboleth/metadata
>
>
> And the second server would have the same. For each server, does each SP
> need its own unique public cert in its metadata or can the SPs on one
> server share just one public/private key pair?
A SAML certificate is bound to a SAML entity, ie a given entityID, not
to a specific SP instance. However, nothing prevents you technicaly to
share the same certificate for multiple entities hosted on the same SP,
or even on different SPs. But using a unique certificate also means than
a compromission, or a rollover issue, affect all applications, whereas
using multiple ones would limit the impact.
Also, if you're using specific SAML profiles involving direct IdP/SP
communications, standard TLS constraints applies, and you have to ensure
consistency between certificate subject and URLs. If you're sharing a
certificat between multiple applications, that's rather unpractical,
even using SubjectAlternativeNames.
Regards.
--
Guillaume Rousse
Pôle SSI
Tel: +33 1 53 94 20 45
www.renater.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20180817/251727e5/attachment.p7s>
More information about the users
mailing list