SP CredentialResolver locally signed SSL certificate

Cantor, Scott cantor.2 at osu.edu
Wed Feb 28 17:07:44 EST 2018

> So it's used when the ExplicitKey trust engine is in use, then?  Should I
> continue to generate certs for my SPs, then?

Your credentials have nothing to do with the trust engine(s) the SP is using, that's the wrong end. Your credentials are evaluated by the IdP and the IdP's credential(s) are evaluated by your (the SP's) trust engines.

The SP requires a keypair to support encryption. It is possible, though rarely bothered with, to tag the credential resolver as encryption only and outright prevent the SP from inadvertently using it for anything else simply to avoid any unintended interpretation of its purpose.

> Is the usage outlined at https://stackoverflow.com/questions/8276233/is-it-
> recommended-to-sign-and-encrypt-saml-and-use-ssl correct that ultimately
> it's used to endure the assertions are not modified in flight, so a self-signed
> cert is fine?

Your keypair has nothing whatsoever to do with evaluating a signature from an IdP.

-- Scott

More information about the users mailing list