validate certificate of service provider
jdennis at redhat.com
Tue Jul 2 08:54:49 EDT 2019
On 7/2/19 2:09 AM, Martin Lunze wrote:
> Hi together,
> i am monitoring the validity of the certificates of all our local
> service providers.
> If one of these will expire, i tell the administrator to exchange this
> certifiacte, but not all of them will do so quickly enough.
> Now i have recognized that the login is still possible for some sps with
> expired certificats.
> Thats possible because they didn't sign or can't sign their
> authentication requests and the idp will accept the request also without
> a signature.
> It seems that the idp also has no problem to encrypt the authentication
> response with a outdated certificate.
> Now i am looking for a solution to prevent login for sps with invalid
> certificates inside their metadata.
> But i am a bit carefully with turning on a restriction to force all
> requests have to be signed, because maybe not all sps can do so.
> Another idea is to add a condition to the metadataprovider which will
> accept only metadata with valid certificates and remove all other.
> Or how about to add a interceptor which stops login if encryption is not
> possible with a valid ceritficate.
> But i did not find an idea in the documentation how to implement this.
> Maybe you have any hint for me?
> I am glade to hear from you.
There is no such thing as certificate validation for the signing and
encryption keys contained in metdadata. Only the key material contained
in the X509 certificates is relevant not the rest of the PKI ancillary
information. The X509 format was selected only as a convenience
container for the key material. You either trust the metadata containing
those keys or you don't. Validating the signature on the metadata is
another story altogether.
More information about the users