Metadata Typo Causes Integration Headaches

Brent Putman putmanb at
Wed Sep 19 19:13:53 EDT 2018

On 9/18/18 9:36 AM, Cantor, Scott wrote:
>> Not surprised -- I was groping for words. Let me try again: just
>> because you have what appears to be the right certificate defined in
>> your metadata, there's some complex policy machinery that can
>> effectively remove it from consideration: usage constraints, algorithm
>> constraints, etc.
> Algorithms don't come into play much, that's mostly if it's EC or RSA and you just don't see EC much if at all. It didn't sound like that was your issue here and in practice it just doesn't come up much. The one that does come up occasionally is name filtering but I've seen that more with my SP when picking decryption keys.

I don't think it was Marvin's issue.

But for the record, in the OpenSAML Java ExplicitKeyTrustEngine and
also the Decrypter, we do actually do various kinds of key algorithm
and key length filtering with code like below.  Where we can (i.e. we
have an algorithm URI), it makes sense to apriori exclude creds from
resolution, e.g. it doesn't make sense to even try and validate an RSA
signature with an EC key:

        final String jcaAlgorithm =
        if (!Strings.isNullOrEmpty(jcaAlgorithm)) {
            criteriaSet.add(new KeyAlgorithmCriterion(jcaAlgorithm), true);

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list