...
- shibboleth.DefaultSigningCredential
- shibboleth.DefaultClientTLSCredential
- shibboleth.DefaultEncryptionCredentials
The first is an instance two are instances of the Credential class and specifies specify the default keypair to use for signing and client TLS respectively. Client TLS isn't common, but may occur in rare instances such as inbound HTTP-Artifact binding messages or in future features such as outbound SOAP logout messages.
The latter third is a list that contains one or more instances of that same class, used for encryption (actually for decryption; this is the public key used to encrypt data for the IdP and the private key to decrypt it with).
If all you need is a single keypair for either/both functionseach function, then nothing needs to be done to this file. This is the strongly recommended approach. If you need to create additional signing credentials to use as overrides to behavior for specific relying parties, you may want to copy the existing bean and assign it a different id to refer to later (see below under Signing and Encryption).
...
Mechanisms exist for defining advanced Credentials and are discussed here.
Signing and Encryption Enablement
...
shibboleth.DefaultSigningCredential | Credential | Keypair used for signing, usually including a certificate |
| shibboleth.DefaultClientTLSCredential 3.4 | Credential | Keypair used for client TLS, including a certificate |
shibboleth.DefaultEncryptionCredentials | List<Credential> | Collection of keypairs used to decrypt data sent by others (technically only the private key matters here) |
| shibboleth.DefaultSecurityConfiguration | SecurityConfiguration | Default security configuration used by all profile beans |
| shibboleth.SecurityConfiguration.SHA256 3.4 | SecurityConfiguration | Security configuration that directly incorporates the SHA-256 signing configuration |
| shibboleth.SecurityConfiguration.SHA1 3.4 | SecurityConfiguration | Security configuration that directly incorporates the SHA-1 signing configuration |
| shibboleth.SecurityConfiguration.CBC 3.4 | SecurityConfiguration | Security configuration that directly incorporates the AES-CBC encryption configuration |
| shibboleth.SecurityConfiguration.GCM 3.4 | SecurityConfiguration | Security configuration that directly incorporates the AES-GCM encryption configuration |
| shibboleth.SigningConfiguration.SHA256 | BasicSignatureSigningConfiguration | Signing configuration that uses the SHA-256 digest algorithm |
| shibboleth.SigningConfiguration.SHA1 | BasicSignatureSigningConfiguration | Signing configuration that uses the SHA-1 digest algorithm |
| shibboleth.EncryptionConfiguration.CBC 3.4 | EncryptionConfiguration | Encryption configuration that uses the AES-CBC encryption algorithm |
| shibboleth.EncryptionConfiguration.GCM 3.4 | EncryptionConfiguration | Encryption configuration that uses the AES-GCM encryption algorithm |
| shibboleth.ExplicitKeySignatureTrustEngine | ExplicitKeySignatureTrustEngine | Signature verifier that relies on explicit keys in metadata |
| shibboleth.PKIXSignatureTrustEngine | PKIXSignatureTrustEngine | Signature verifier that validates certificates against PKIX rules in metadata |
| shibboleth.ChainingSignatureTrustEngine | ChainingSignatureTrustEngine | Signature verifier that chains the previous two beans together |
| shibboleth.ExplicitKeyX509TrustEngine 3.3 | Client certificate verifier that relies on explicit keys in metadata | |
| shibboleth.PKIXX509TrustEngine | PKIXX509CredentialTrustEngine | Client certificate verifier that validates certificates against PKIX rules in metadata |
| shibboleth.ChainingX509TrustEngine | ChainingTrustEngine | Client certificate verifier that chains the previous two beans together |
...