Signing but force no encrypt, even in IDP metadata

Ray Bon rbon at uvic.ca
Fri Jun 12 22:25:02 UTC 2020 

Jehan,

What is preventing the vendor from editing their copy of your metadata?

Ray

On Fri, 2020-06-12 at 23:28 +0200, Jehan Procaccia wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.


Hello

from https://wiki.shibboleth.net/confluence/display/IDP30/SecurityConfiguration I see that I can invalidate encryption for specific SP /entityID :

<bean parent="SAML2.SSO" p:encryptAssertions="false" />

I know it's dirty , but the Vendor I am trying to do SSO with, not only ask for no encryption (only signing) , but wants the metadataFile of our IDP to contain only the signing certificat no occurence of :

<KeyDescriptor use="encryption">

because it fails their integration tool to have 2 certificates in metadata

Is there a way in the configuration of the IDP  to completely invalidate encryption at the point to make it desappear from Metadata ?

I tried to comment in credentials.xml

<util:list id="shibboleth.DefaultEncryptionCredentials">
        <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
            p:privateKeyResource="%{idp.encryption.key}"
            p:certificateResource="%{idp.encryption.cert}"

but still <KeyDescriptor use="encryption"> appears in metadata at  https://myidp.domain.fr/idp/shibboleth

Or should I edit myself idp-metadata.xml and "blindly" remove all the section:

       <KeyDescriptor use="encryption">
            <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
MIIDNzCCAh+gAwIBAgIUQ1XYtG2d7w4EbppsM3JMNZNhjIYwDQYJKoZIhvcNAQEL

Thanks .


--

Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rbon at uvic.ca<mailto:rbon at uvic.ca>

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200612/e4089f1c/attachment.htm>

More information about the users mailing list