Question about relying-party-system.xml
Ullfig, Roberto Alfredo
rullfig at uic.edu
Wed Jun 30 13:41:30 UTC 2021
Did shibboleth.DefaultSecurityConfiguration change in 4.1? I can't get this work. I have in credentials.xml:
<util:list id="shibboleth.SigningCredentials">
<ref bean="shibboleth.DefaultSigningCredential" />
<ref bean="shibboleth.OldSigningCredential" />
</util:list>
<!-- Your IdP's default signing key, set via property file. -->
<bean id="shibboleth.DefaultSigningCredential"
class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.signing.key}"
p:certificateResource="%{idp.signing.cert}"
p:entityId-ref="entityID" />
<bean id="shibboleth.OldSigningCredential"
class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
p:privateKeyResource="%{idp.signing.key.2}"
p:certificateResource="%{idp.signing.cert.2}"
p:entityId-ref="entityID" />
in relying-party.xml
<bean id="OldSigningCredentialConfig" parent="shibboleth.DefaultSecurityConfiguration">
<property name="signatureSigningConfiguration">
<bean parent="shibboleth.SigningConfiguration.SHA256" p:signingCredentials-ref="shibboleth.OldSigningCredential" />
</property>
</bean>
<bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'https://jostle.us'}}">
<property name="profileConfigurations">
<list>
<bean parent="Shibboleth.SSO" p:securityConfiguration-ref="OldSigningCredentialConfig" />
<bean parent="SAML2.SSO" p:disallowedFeatures-ref="SAML2.SSO.FEATURE_AUTHNCONTEXT">
<property name="defaultAuthenticationMethods">
<list>
<ref bean="MFASAML2Principal" />
</list>
</property>
</bean>
</list>
</property>
</bean>
The application should work with shibboleth.OldSigningCredential. No ERR and it works fine using the other key on the production server which doesn't have these changes.
---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Tuesday, June 29, 2021 4:15 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Question about relying-party-system.xml
On 6/29/21, 5:00 PM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at shibboleth.net on behalf of rullfig at uic.edu> wrote:
> Yes we are on IDP 4.1. Where can I see shibboleth.DefaultSecurityConfiguration etc now?
In the source, I'll have to update the page when I have a chance.
> Also, I just noticed that idp.properties is set to the default cert hash:
That has nothing to do with any certificates, that's the digest algorithm used when signing XML.
-- Scott
--
For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=04%7C01%7Crullfig%40uic.edu%7Cfbb28afb493040dc418208d93b43064b%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637605981340847527%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LwzFDb4l09qk5NVcnh0VfRIy5vPyKbC73Efz2g7q%2FG4%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210630/fc03154b/attachment.htm>
More information about the users
mailing list