saml2 mtls issue

Corin.Langosch at swisscom.com Corin.Langosch at swisscom.com
Tue Nov 9 14:11:23 UTC 2021 

Hi guys,

I need to configure a shibboleth SP with an IDP which requires mTLS for the SAML2 artifact back-channel. The challenge is that the IDP requires different certificates to be used for encryption, signing and the mTLS of the back-channel.

When I configure the RelyingParty#Name with the entity-id of the IDP it seems shibboleth is using the mtls-crt (client certificate) not only for the mTLS of the back-channel but also already in the AuthnRequest:

<RelyingParty Name="some-idp" keyName="client-cert"/>
<CredentialResolver type="Chaining">
  <CredentialResolver type="File" use="signing" certificate="sp-signing-cert.pem" key="sp-signing-key.pem"/>
  <CredentialResolver type="File" use="encryption" certificate="sp-encrypt-cert.pem" key="sp-encrypt-key.pem"/>
  <CredentialResolver type="File" certificate="mtls-crt.pem" key="mtls-key.pem" keyName="client-cert"/>
</CredentialResolver>

When I configure the RelyingParty#Name with the domain of the back-channel (ex. mtls.example.org) it seems the client-certificate is not used at all.

<RelyingParty Name="mtls.example.org" keyName="client-cert"/>
<CredentialResolver type="Chaining">
  <CredentialResolver type="File" use="signing" certificate="sp-signing-cert.pem" key="sp-signing-key.pem"/>
  <CredentialResolver type="File" use="encryption" certificate="sp-encrypt-cert.pem" key="sp-encrypt-key.pem"/>
  <CredentialResolver type="File" certificate="mtls-crt.pem" key="mtls-key.pem" keyName="client-cert"/>
</CredentialResolver>

I also tried a different syntax like putting the domain name in the keyName, but it still doesn't get used:

<RelyingParty keyName="mtls.example.org"/>
<CredentialResolver type="Chaining">
  <CredentialResolver type="File" use="signing" certificate="sp-signing-cert.pem" key="sp-signing-key.pem"/>
  <CredentialResolver type="File" use="encryption" certificate="sp-encrypt-cert.pem" key="sp-encrypt-key.pem"/>
  <CredentialResolver type="File" certificate="mtls-crt.pem" key="mtls-key.pem" keyName="mtls.example.org"/>
</CredentialResolver>

How can I make shibboleth to use the client-certificate only for the mTLS of the back-channel and the other two certificates for signing and encryption? Thank you very much in advance for any help.

Corin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211109/bc5d6693/attachment.htm>

More information about the users mailing list