validate certificate of service provider

[Martin Lunze]

Hi together,

i am monitoring the validity of the certificates of all our local 
service providers.

If one of these will expire, i tell the administrator to exchange this 
certifiacte, but not all of them will do so quickly enough.

Now i have recognized that the login is still possible for some sps with 
expired certificats.
Thats possible because they didn't sign or can't sign their 
authentication requests and the idp will accept the request also without 
a signature.

It seems that the idp also has no problem to encrypt the authentication 
response with a outdated certificate.

Now i am looking for a solution to prevent login for sps with invalid 
certificates inside their metadata.
But i am a bit carefully with turning on a restriction to force all 
requests have to be signed, because maybe not all sps can do so.

Another idea is to add a condition to the metadataprovider which will 
accept only metadata with valid certificates and remove all other.
Or how about to add a interceptor which stops login if encryption is not 
possible with a valid ceritficate.

But i did not find an idea in the documentation how to implement this.

Maybe you have any hint for me?
I am glade to hear from you.

Thanks.
Martin

-- 

Martin Lunze
IT-Systemadministrator

Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen (ZIH)
Operative Prozesse und Systeme (OPS)
01062 Dresden

Tel.: +49 (351) 463-35881
E-Mail: martin.lunze at tu-dresden.de


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5742 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20190702/5fa56a14/attachment.p7s>