validate certificate of service provider

[John Dennis]

On 7/2/19 2:09 AM, Martin Lunze wrote:
> Hi together,
> 
> i am monitoring the validity of the certificates of all our local 
> service providers.
> 
> If one of these will expire, i tell the administrator to exchange this 
> certifiacte, but not all of them will do so quickly enough.
> 
> Now i have recognized that the login is still possible for some sps with 
> expired certificats.
> Thats possible because they didn't sign or can't sign their 
> authentication requests and the idp will accept the request also without 
> a signature.
> 
> It seems that the idp also has no problem to encrypt the authentication 
> response with a outdated certificate.
> 
> Now i am looking for a solution to prevent login for sps with invalid 
> certificates inside their metadata.
> But i am a bit carefully with turning on a restriction to force all 
> requests have to be signed, because maybe not all sps can do so.
> 
> Another idea is to add a condition to the metadataprovider which will 
> accept only metadata with valid certificates and remove all other.
> Or how about to add a interceptor which stops login if encryption is not 
> possible with a valid ceritficate.
> 
> But i did not find an idea in the documentation how to implement this.
> 
> Maybe you have any hint for me?
> I am glade to hear from you.

There is no such thing as certificate validation for the signing and 
encryption keys contained in metdadata. Only the key material contained 
in the X509 certificates is relevant not the rest of the PKI ancillary 
information. The X509 format was selected only as a convenience 
container for the key material. You either trust the metadata containing 
those keys or you don't. Validating the signature on the metadata is 
another story altogether.


-- 
John Dennis