SP CredentialResolver locally signed SSL certificate

Peter Schober peter.schober at univie.ac.at
Thu Mar 1 08:30:25 EST 2018

* Tom Noonan <tom at joinroot.com> [2018-02-28 22:43]:
> so a self-signed cert is fine?

If you have trustworthy channel to exchange SAML 2.0 Metadata and that
metadata also contains X.509 certificates you could decide to trust
the certificate (or the public key in that cert) simply because you
trust the metadata containing it (as well as containing other things,
e.g. endpoints).
That's tge gist of MetaIOP: If you ave trustworthy metadata that
contain keys, you also have trustworthy keys. Trust in the metadata
(esp. in an xmldsig signature on that) replaces PKIX signatures on the
certificate itself, so to speak.

Thousands of entities the world over establish secure, trustworthy
exchanges of SAML protocol messages using the public keys from
self-signed certificates. It's the metadata that makes these keys
acceptable, then, not certs signed by X.509 Certificate Authorities.

Since we don't know how you're handling trust establishment and
metadata registration/exchange noone here can tell you whether that's
"fine" for you or not.
But using the software in its default configuration (which implements
the OASIS MetaIOP standard) you might be using commercially signed
certificates and the software would still not look at the CA
signatures on certificates.


More information about the users mailing list