SP CredentialResolver locally signed SSL certificate

[Tom Noonan]

> for decrypting encrypted assertions

So it's used when the ExplicitKey trust engine is in use, then?  Should I
continue to generate certs for my SPs, then?

Is the usage outlined at
https://stackoverflow.com/questions/8276233/is-it-recommended-to-sign-and-encrypt-saml-and-use-ssl
correct that ultimately it's used to endure the assertions are not modified
in flight, so a self-signed cert is fine?

--Tom Noonan II

On Wed, Feb 28, 2018 at 4:34 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> > - If no TrustEngine is specified the ExplicitKey engine is tried, and
> then the
> > PKIX engine
> > (https://wiki.shibboleth.net/confluence/display/SHIB2/
> NativeSPTrustEngine
> > <https://wiki.shibboleth.net/confluence/display/SHIB2/
> NativeSPTrustEngine
> > > )
> > - The CredentialResolver config is used by the StaticPKIX engine.
>
> That's how the SP works internally, it has nothing to with what your key
> is used for. The IdP however has the same logic generally speaking and an
> SP key used for signing is handled the same way. Encryption is something
> else entirely and an SP key is normally used for both (or more accurately
> labeled as both but is in fact used for encryption only as there is no
> substantial use of signing or TLS anymore in the SP as deployed by most).
>
> > I'm still not clear on how the CredentialResolver certificate is used.
>
> Signing AuthnRequests, client TLS for attribute queries or artifact
> lookup, and for decrypting encrypted assertions. Only the latter is common
> anymore.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180228/21bab0d6/attachment.html>