...
As an advanced example, the documentation and built-in defaults expect the EC key to be a 256-bit key that supports only a subset of possible signing algorithms. If you had a RP that required the ES512 algorith, a P-512 521 key would be needed, which you would need to generate and define in conf/oidc-credentials.xml:
| Code Block |
|---|
| language | xml |
|---|
| title | conf/oidc-credentials.xml |
|---|
|
<bean id="shibboleth.oidc.SpecialSigningCredential" parent="shibboleth.JWKCredential"
p:resource="%{idp.home}/credentials/my-idp-signing-ec512ec521.jwk" /> |
Then you would need to define a new configuration bean and apply it to a RP profile in conf/relying-party.xml:
...
| Localtabgroup |
|---|
| Localtab |
|---|
| active | true |
|---|
| title | Properties |
|---|
| Security-related properties in conf/oidc.properties: | Name | Type | Default | Description |
|---|
| idp.signing.oidc.rs.key | JWK file pathname |
| JWK RSA signing keypair | | idp.signing.oidc.es.key | JWK file pathname |
| JWK EC signing keypair | | idp.signing.oidc.rsa.enc.key | JWK file pathname |
| JWK RSA decryption keypair | | idp.oidc.signing.config | Bean ID | shibboleth.oidc.SigningConfiguration | Allows override of default signing configuration | | idp.oidc.encryption.config | Bean ID | shibboleth.oidc.EncryptionConfiguration | Allows override of default encryption configuration | | idp.oidc.rodecrypt.config | Bean ID | shibboleth.oidc.requestObjectDecryptionConfiguration | Allows override of default request decryption configuration | | idp.oidc.rovalid.config | Bean ID | shibboleth.oidc.requestObjectSignatureValidationConfiguration | Allows override of default request signature validation configuration | | idp.oidc.rovalid.config | Bean ID | shibboleth.oidc.tokenEndpointJwtSignatureValidationConfiguration | Allows override of default JWT token validation configuration |
|
| Localtab |
|---|
| Beans defined in conf/oidc-credentials.xml or internally for use in conf/relying-party.xml: | Name / Type | Description |
|---|
shibboleth.JWKCredential net.shibboleth.idp.plugin.oidc.op.profile.spring.factory.BasicJWKCredentialFactoryBean | Spring factory bean for easy definition of JWK-formatted credentials | shibboleth.oidc.DefaultRSSigningCredential Credential | Default RSA signing keypair used with OIDC | shibboleth.oidc.DefaultESSigningCredential Credential | Default EC signing keypair used with OIDC | shibboleth.oidc.DefaultRSAEncryptionCredential Credential | Default RSA decryption keypair used with OIDC | shibboleth.oidc.SigningCredentials List<Credential> | List of signing keys available for use with OIDC | shibboleth.oidc.EncryptionCredentials List<Credential> | List of encryption keys available for use in decryption with OIDC | shibboleth.oidc.SigningCredentialsToPublish List<Credential> | List of signing keys to publish to RPs with OIDC | shibboleth.oidc.EncryptionCredentialsToPublish List<Credential> | List of encryption keys to publish to RPs with OIDC | shibboleth.oidc.DefaultSecurityConfiguration SecurityConfiguration | Default security configuration used by all OIDC profile beans | shibboleth.oidc.SigningConfiguration BasicSignatureSigningConfiguration | Default signing behavior for OIDC profiles, auto-wires default algorithms and signing keys | shibboleth.oidc.EncryptionConfiguration EncryptionConfiguration | Default encryption behavior for OIDC profiles, auto-wires default algorithms | shibboleth.oidc.requestObjectDecryptionConfiguration EncryptionConfiguration | Default decryption behavior for OIDC request decryption | shibboleth.oidc.requestObjectSignatureValidationConfiguration BasicSignatureSigningConfiguration | Default signature validation behavior for OIDC request signatures | shibboleth.oidc.tokenEndpointJwtSignatureValidationConfiguration BasicSignatureSigningConfiguration | Default signature validation behavior for validating JWTs used as endpoint credentials |
|
|