validate certificate of service provider
martin.lunze at tu-dresden.de
Tue Jul 2 02:09:01 EDT 2019
i am monitoring the validity of the certificates of all our local
If one of these will expire, i tell the administrator to exchange this
certifiacte, but not all of them will do so quickly enough.
Now i have recognized that the login is still possible for some sps with
Thats possible because they didn't sign or can't sign their
authentication requests and the idp will accept the request also without
It seems that the idp also has no problem to encrypt the authentication
response with a outdated certificate.
Now i am looking for a solution to prevent login for sps with invalid
certificates inside their metadata.
But i am a bit carefully with turning on a restriction to force all
requests have to be signed, because maybe not all sps can do so.
Another idea is to add a condition to the metadataprovider which will
accept only metadata with valid certificates and remove all other.
Or how about to add a interceptor which stops login if encryption is not
possible with a valid ceritficate.
But i did not find an idea in the documentation how to implement this.
Maybe you have any hint for me?
I am glade to hear from you.
Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen (ZIH)
Operative Prozesse und Systeme (OPS)
Tel.: +49 (351) 463-35881
E-Mail: martin.lunze at tu-dresden.de
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5742 bytes
Desc: S/MIME Cryptographic Signature
More information about the users