Signing but force no encrypt, even in IDP metadata

Jehan Procaccia jehan.procaccia at tem-tsp.eu
Sat Jun 13 13:46:27 UTC 2020 

beacause they ask me for a download/service  URL for my IDP metadata
you are right, I can probably create a "fake" one on /var/www/html with 
apache serveur and remove all encrypt references in those metadata
but I am afraid that if their SP refresh dynamically my IDP metadata and 
while echanging assertion maybe the need to access/check 
https://myidp.domain.fr/idp/shibboleth  ?

So in there a way to completly remove encrypt assertion from the IDP 
workflow and associated metadata ?

Thanks .


Le 13/06/2020 à 00:25, Ray Bon a écrit :
> Jehan,
>
> What is preventing the vendor from editing their copy of your metadata?
>
> Ray
>
> On Fri, 2020-06-12 at 23:28 +0200, Jehan Procaccia wrote:
>> Notice: This message was sent from outside the University of Victoria 
>> email system. Please be cautious with links and sensitive information.
>>
>> Hello
>>
>> from 
>> https://wiki.shibboleth.net/confluence/display/IDP30/SecurityConfiguration 
>> I see that I can invalidate encryption for specific SP /entityID :
>>
>> /<bean parent="SAML2.SSO" p:encryptAssertions="false" />/
>>
>> I know it's dirty , but the Vendor I am trying to do SSO with, not 
>> only ask for no encryption (only signing) , but wants the 
>> metadataFile of our IDP to contain only the signing certificat no 
>> occurence of :
>>
>> /<KeyDescriptor use="encryption">/
>>
>> because it fails their integration tool to have 2 certificates in 
>> metadata
>>
>> Is there a way in the configuration of the IDP  to completely 
>> invalidate encryption at the point to make it desappear from Metadata ?
>>
>> I tried to comment in credentials.xml /
>> /
>>
>> /<util:list id="shibboleth.DefaultEncryptionCredentials">//
>> //        <bean 
>> class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"//
>> //p:privateKeyResource="%{idp.encryption.key}"//
>> //p:certificateResource="%{idp.encryption.cert}"/
>>
>> but still /<KeyDescriptor use="encryption">/ appears in metadata at 
>> https://myidp.domain.fr/idp/shibboleth
>>
>> Or should I edit myself idp-metadata.xml and "blindly" remove all the 
>> section:
>>
>> /       <KeyDescriptor use="encryption">//
>> //            <ds:KeyInfo>//
>> //                    <ds:X509Data>//
>> //                        <ds:X509Certificate>//
>> //MIIDNzCCAh+gAwIBAgIUQ1XYtG2d7w4EbppsM3JMNZNhjIYwDQYJKoZIhvcNAQEL/
>>
>> Thanks .
>>
>>
> -- 
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rbon at uvic.ca <mailto:rbon at uvic.ca>
>
> I respectfully acknowledge that my place of work is located within the 
> ancestral, traditional and unceded territory of the Songhees, 
> Esquimalt and WSÁNEĆ Nations.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200613/a6fb52fc/attachment.htm>

More information about the users mailing list