SP CredentialResolver locally signed SSL certificate
tom at joinroot.com
Wed Feb 28 16:42:54 EST 2018
> for decrypting encrypted assertions
So it's used when the ExplicitKey trust engine is in use, then? Should I
continue to generate certs for my SPs, then?
Is the usage outlined at
correct that ultimately it's used to endure the assertions are not modified
in flight, so a self-signed cert is fine?
--Tom Noonan II
On Wed, Feb 28, 2018 at 4:34 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> > - If no TrustEngine is specified the ExplicitKey engine is tried, and
> then the
> > PKIX engine
> > (https://wiki.shibboleth.net/confluence/display/SHIB2/
> > <https://wiki.shibboleth.net/confluence/display/SHIB2/
> > > )
> > - The CredentialResolver config is used by the StaticPKIX engine.
> That's how the SP works internally, it has nothing to with what your key
> is used for. The IdP however has the same logic generally speaking and an
> SP key used for signing is handled the same way. Encryption is something
> else entirely and an SP key is normally used for both (or more accurately
> labeled as both but is in fact used for encryption only as there is no
> substantial use of signing or TLS anymore in the SP as deployed by most).
> > I'm still not clear on how the CredentialResolver certificate is used.
> Signing AuthnRequests, client TLS for attribute queries or artifact
> lookup, and for decrypting encrypted assertions. Only the latter is common
> -- Scott
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users