Adding Another IDP Signing Certificate in Shib 3.x SP

Bhagwat, Shrikant shrbhagw at med.umich.edu
Mon Feb 10 20:05:05 EST 2020 

Can we get IDP Metadata just by URL or do we need Xml file in local disk as well.


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Bhagwat, Shrikant
Sent: Monday, February 10, 2020 11:35 AM
To: Shib Users <users at shibboleth.net>
Subject: RE: Adding Another IDP Signing Certificate in Shib 3.x SP

Do we need capture IDP Metadata from URL & backingFilePath or just one is enough on SP,

We have like below

<MetadataProvider type="XML" url="https://lab-weblogin.med.umich.edu/nidp/saml2/metadata"
            backingFilePath="lab-weblogin-metadata.xml" reloadInterval="7200">


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Mak, Steve
Sent: Monday, February 10, 2020 8:22 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Adding Another IDP Signing Certificate in Shib 3.x SP

External Email - Use Caution

I want to make sure you were aware that there are two potentially two different signing certs in play here:  the idp metadata signing cert and the idp's SAML response/assertion signing cert.  They might be the same, but they also might not be.

If the IdP is updating the idp-metadata signing cert you add the new CredentialResolver.  If the IdP is only updating their SAML response/assertion signing cert you only have to make sure it's part of their published idp-metadata, but that will probably automatically happen without you needing to do anything.

-Steve

On 2/10/20, 08:17, "users on behalf of Bhagwat, Shrikant" <users-bounces at shibboleth.net on behalf of shrbhagw at med.umich.edu> wrote:

Thanks. Let me try this 


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Alan Buxey
Sent: Monday, February 10, 2020 3:53 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Adding Another IDP Signing Certificate in Shib 3.x SP

External Email - Use Caution

change your <MetadataFilter type="Signature"
certificate="Lab-WebloginFull.pem"/> to eg

<MetadataFilter type="Signature">
        <CredentialResolver type="Chaining">
                <CredentialResolver type="File"
certificate"Lab-WebloginFull.pem"/>
                <CredentialResolver type="File"
certificate"New-Lab-WebloginFull.pem/>
        </Credentialresolver>
</MetadataFilter>

??

alan
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues 

-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues 
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues

More information about the users mailing list