SAML Keys Format

[MIKE LLOYD - QQ1]

Sounds good, thanks Scott.

Mike.

On Wed, Feb 5, 2020 at 5:10 PM Cantor, Scott <cantor.2 at osu.edu> wrote:

> You will never see a (correct) instance of metadata or any other
> ds:X509Certificate element anywhere with the headers. The relevant standard
> is XML Signature, and the syntax of that element is a base64-encoded
> DER-encoded certificate. PEM is simply that format with the headers added.
> The XML Schema type of the element is called base64Binary. The headers are
> not valid base64 so they blatantly break the syntax and would choke any
> validating parser.
>
> > I noticed the metadata/idp-metadata.xml configuration file references
>
> There is no such configuration file. The IdP never uses its own metadata.
> That file is a dummy example file (really should never have been created,
> but it's historical) that's just a sample. It should never be used as
> anything but a starting point for creating the appropriate metadata to give
> to federations and the like.
>
> > I've seen ADFS SAML 2.0 references contain the certificate headers and
> footers
>
> I would be surprised, but given that ADFS can't even handle valid
> metadata, it would be fitting if it accepted something that's clearly
> invalid.
>
> > and I didn't see the OASIS SAML 2.0 specify whether the headers and
> footers were needed
>
> Because it's not a SAML element. It comes from XML Signature.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>


-- 
Respectfully,

Mike Lloyd
Innovation Specialist, 18F, cloud.gov
g: mxplusb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200206/8b301b36/attachment.html>