Shibb sp error

Peter Schober peter.schober at univie.ac.at
Thu Jan 28 13:11:31 UTC 2021 

* Kicic Sakib <Sakib.Kicic at smhi.se> [2021-01-28 11:57]:
> Yes, problem is that we need to generate new certificate key pair.

On fully supported platforms that would have happened automatically
during installation. (I note you didn't answer my question what
OS/version this was on.)
On not fully supported platforms doing that is just one command away.

Without a key pair the SP cannot recieve encrypted data, most
importantly. For those wanting end-to-end security from their SSO
protocol that's of prime importance. (For you probably not, since you
mention things having worked in the past and the presence od a
"proxy", things I don't quite understand from the level of details
provided.)

> Strange thing is that these sp certificate files where empty for a
> long time but idp logs says nothing about it until today after
> restart of idp service. And we also load metadata for sp via proxy
> each 5 minutes and sp has worked fine all time.

Sorry, none of that makes much sense to me as written above.

The IDP restart might have triggered the IDP to try to fetch updated
metadata from your SP (and you seemingly have configured the SP to
sign its own metadata with its own key, which does/did not exist; not
that any of that would provide real security or trustworthiness for
the IDP, IMO) but if you did not get that error at the SP "for a long
time" this means the IDP hasn't ever refreshed metadata from the SP in
that same long time.
(At which point it seems clear that the IDP should probably use
metadata about this SP from its own local disk, and not fetch it over
the network, avoiding all these problems.
That, plus no longer configuring the SP to sign its own metadata when
it doesn't even have a key pair to sign something with.)

> I think we will go with oidc  so we don't get problem with certificates and metadata.

If you think switching SSO protocol will somehow magically prevent you
from making configuration and deployment mistakes such as the ones I
could infer from your posts so far you might find you're in for a
surprise. You can run SAML and Shibboleth with any amout of trust or
security (including zero, if you insist) just fine. ;) 

-peter

More information about the users mailing list