Signing but force no encrypt, even in IDP metadata
jehan.procaccia at tem-tsp.eu
Sat Jun 13 13:46:27 UTC 2020
beacause they ask me for a download/service URL for my IDP metadata
you are right, I can probably create a "fake" one on /var/www/html with
apache serveur and remove all encrypt references in those metadata
but I am afraid that if their SP refresh dynamically my IDP metadata and
while echanging assertion maybe the need to access/check
So in there a way to completly remove encrypt assertion from the IDP
workflow and associated metadata ?
Le 13/06/2020 à 00:25, Ray Bon a écrit :
> What is preventing the vendor from editing their copy of your metadata?
> On Fri, 2020-06-12 at 23:28 +0200, Jehan Procaccia wrote:
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>> I see that I can invalidate encryption for specific SP /entityID :
>> /<bean parent="SAML2.SSO" p:encryptAssertions="false" />/
>> I know it's dirty , but the Vendor I am trying to do SSO with, not
>> only ask for no encryption (only signing) , but wants the
>> metadataFile of our IDP to contain only the signing certificat no
>> occurence of :
>> /<KeyDescriptor use="encryption">/
>> because it fails their integration tool to have 2 certificates in
>> Is there a way in the configuration of the IDP to completely
>> invalidate encryption at the point to make it desappear from Metadata ?
>> I tried to comment in credentials.xml /
>> /<util:list id="shibboleth.DefaultEncryptionCredentials">//
>> // <bean
>> but still /<KeyDescriptor use="encryption">/ appears in metadata at
>> Or should I edit myself idp-metadata.xml and "blindly" remove all the
>> / <KeyDescriptor use="encryption">//
>> // <ds:KeyInfo>//
>> // <ds:X509Data>//
>> // <ds:X509Certificate>//
>> Thanks .
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | rbon at uvic.ca <mailto:rbon at uvic.ca>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees,
> Esquimalt and WSÁNEĆ Nations.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users