Signing but force no encrypt, even in IDP metadata
Jehan Procaccia
jehan.procaccia at tem-tsp.eu
Fri Jun 12 21:28:58 UTC 2020
Hello
from
https://wiki.shibboleth.net/confluence/display/IDP30/SecurityConfiguration
I see that I can invalidate encryption for specific SP /entityID :
/<bean parent="SAML2.SSO" p:encryptAssertions="false" />/
I know it's dirty , but the Vendor I am trying to do SSO with, not only
ask for no encryption (only signing) , but wants the metadataFile of our
IDP to contain only the signing certificat no occurence of :
/<KeyDescriptor use="encryption">/
because it fails their integration tool to have 2 certificates in metadata
Is there a way in the configuration of the IDP to completely invalidate
encryption at the point to make it desappear from Metadata ?
I tried to comment in credentials.xml /
/
/<util:list id="shibboleth.DefaultEncryptionCredentials">//
// <bean
class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"//
// p:privateKeyResource="%{idp.encryption.key}"//
// p:certificateResource="%{idp.encryption.cert}"/
but still /<KeyDescriptor use="encryption">/ appears in metadata at
https://myidp.domain.fr/idp/shibboleth
Or should I edit myself idp-metadata.xml and "blindly" remove all the
section:
/ <KeyDescriptor use="encryption">//
// <ds:KeyInfo>//
// <ds:X509Data>//
// <ds:X509Certificate>//
//MIIDNzCCAh+gAwIBAgIUQ1XYtG2d7w4EbppsM3JMNZNhjIYwDQYJKoZIhvcNAQEL/
Thanks .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200612/4ac0d0ec/attachment.htm>
More information about the users
mailing list