Question about relying-party-system.xml

Ullfig, Roberto Alfredo rullfig at
Wed Jun 30 13:41:30 UTC 2021

Did shibboleth.DefaultSecurityConfiguration change in 4.1? I can't get this work. I have in credentials.xml:

    <util:list id="shibboleth.SigningCredentials">
        <ref bean="shibboleth.DefaultSigningCredential" />
        <ref bean="shibboleth.OldSigningCredential" />

    <!-- Your IdP's default signing key, set via property file. -->
    <bean id="shibboleth.DefaultSigningCredential"
        p:entityId-ref="entityID" />

    <bean id="shibboleth.OldSigningCredential"
        p:entityId-ref="entityID" />

in relying-party.xml

    <bean id="OldSigningCredentialConfig" parent="shibboleth.DefaultSecurityConfiguration">
        <property name="signatureSigningConfiguration">
            <bean parent="shibboleth.SigningConfiguration.SHA256" p:signingCredentials-ref="shibboleth.OldSigningCredential" />

        <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{''}}">
            <property name="profileConfigurations">
                    <bean parent="Shibboleth.SSO" p:securityConfiguration-ref="OldSigningCredentialConfig" />
                    <bean parent="SAML2.SSO" p:disallowedFeatures-ref="SAML2.SSO.FEATURE_AUTHNCONTEXT">
                        <property name="defaultAuthenticationMethods">
                                <ref bean="MFASAML2Principal" />

The application should work with shibboleth.OldSigningCredential. No ERR and it works fine using the other key on the production server which doesn't have these changes.

Roberto Ullfig - rullfig at
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
From: users <users-bounces at> on behalf of Cantor, Scott <cantor.2 at>
Sent: Tuesday, June 29, 2021 4:15 PM
To: Shib Users <users at>
Subject: Re: Question about relying-party-system.xml

On 6/29/21, 5:00 PM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at on behalf of rullfig at> wrote:

>    Yes we are on IDP 4.1. Where can I see shibboleth.DefaultSecurityConfiguration etc now?

In the source, I'll have to update the page when I have a chance.

>    Also, I just noticed that is set to the default cert hash:

That has nothing to do with any certificates, that's the digest algorithm used when signing XML.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list