SP CredentialResolver locally signed SSL certificate

Cantor, Scott cantor.2 at osu.edu
Wed Feb 28 16:34:33 EST 2018

> - If no TrustEngine is specified the ExplicitKey engine is tried, and then the
> PKIX engine
> (https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTrustEngine
> <https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPTrustEngine
> > )
> - The CredentialResolver config is used by the StaticPKIX engine.

That's how the SP works internally, it has nothing to with what your key is used for. The IdP however has the same logic generally speaking and an SP key used for signing is handled the same way. Encryption is something else entirely and an SP key is normally used for both (or more accurately labeled as both but is in fact used for encryption only as there is no substantial use of signing or TLS anymore in the SP as deployed by most).

> I'm still not clear on how the CredentialResolver certificate is used.

Signing AuthnRequests, client TLS for attribute queries or artifact lookup, and for decrypting encrypted assertions. Only the latter is common anymore.

-- Scott

More information about the users mailing list