Metadata Typo Causes Integration Headaches
cantor.2 at osu.edu
Wed Sep 19 19:16:08 EDT 2018
On 9/19/18, 7:07 PM, "users on behalf of Brent Putman" <users-bounces at shibboleth.net on behalf of putmanb at georgetown.edu> wrote:
> As I just mentioned in my longish reply, the KeyInfo at issue here was the metadata KeyDescriptor/KeyInfo. I don't
> *think* Marvin's conclusions here were quite correct, as I believe there would not have been any Credentials extracted
> from metadata to filter.
Yes, but my point was that even if the code is outfitted to feed key names into the process to filter out non-matches, that would have to come, ordinarily, from the message's KeyInfo hint. And with a signed redirect, there's no hint, so there's nothing to do but try all the keys in the metadata that match the algorithm type.
e.g., say you have ten keys in metadata, and the message says the ds:KeyName or ds:X509SubjectName is "bob", then it's possible to do filtering that determines which keys in the metadata are called "bob". The SP does this when it looks for a decryption key and it's not the greatest idea because it relies on a shared nomenclature between two peers that might disagree about what a key is called, so it wasn't that hot an idea.
More information about the users