Overview
The <CredentialResolver> element configures the component that provides the SP with access to public and private keys and certificates, or credentials. Keys are used to sign messages sent to IdPs or authenticate TLS connections, and to decrypt data sent to the SP.
| Tip |
|---|
The credentials used by an SP MUST correspond to those supplied to relying parties and federations in the SP's metadata, or trust a variety of failures will result. |
...
Changes to credentials must also be carefully choreographed to avoid service interruptions. Supporting IdPs that do not support metadata, or support it propertly, implies a variety of manual workarounds and very careful configuration, or by-fiat imposition of changes (essentially disavowing responsibility for any attendant failures). |
The web server within which the SP is deployed also manages its own keys and certificates to establish TLS/SSL connections with browser users. While it is technically possible for the SP software to use the same keypair and certificate used by the web server itself, this is generally not a good idea. Also note that in the current implementation, only the shibd process daemon process needs to access the SP's credentials, so the web server does not need any special access to them whatsoever.
Types
Only one types type of credential resolver is available, it is signified by the type="File" attribute:
Type | Description |
|---|---|
File | Loads keys and certificates stored in local or remote files using common formats. PEM, DER, and PKCS#12 are supported. |
Common Attributes
Name | Type |
|---|
Req? | Description |
|---|---|
| string |
Required
Y | Type of plugin to use |
Note that multiple Credential resolvers CredentialResolvers can be specified (see the Multiple Credentials topic for more detail).