Versions Compared

Old Version 18

changes.mady.by.user Brent Putman

Saved on

compared with

New Version 19

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The IdP has two types of trust engines. Signature trust engines which are used to validate a digital signature and ensure that the credentials used to create the such signature are trusted, and credential trust engines which are used to ensure that the credentials used by a service provider to connect to the IdP are valid and trusted. What it means to be trusted depends on the exact trust engine used.

...

Code Block
xml
titleExample Explicit Key Static Signature Trust Engine
xml

<security:TrustEngine xsi:type="security:StaticExplicitKeySignature"
                      id="UNIQUE_ID">

    <Credential xsi:type="X509Filesystem" xmlns="urn:mace:shibboleth:2.0:security"
                id="MyCredential">
        <KeyName>key.example.org</KeyName>
        <PrivateKey password="myKeyPa$$word">/path/to/my/private.key</PrivateKey>
        <Certificate>/path/to/my/public.crt</Certificate>
    </Credential>

</security:TrustEngine>

...

Code Block
xml
titleExample Static PKIX Signature Trust Engine
xml

<security:TrustEngine xsi:type="security:StaticPKIXSignature"
                      id="UNIQUE_ID">

    <TrustedName>CN=idp.example.org,DC=example,DC=org</TrustedName>
    <TrustedName>idp.example.org</TrustedName>
    <TrustedName>https://sp.example.org/shibboleth</TrustedName>

    <ValidationInfo id="UNIQUE_ID" VerifyDepth="5" xsi:type="PKIXFilesystem" xmlns="urn:mace:shibboleth:2.0:security">
        <Certificate>/path/to/trusted/cert1</Certificate>
        <Certificate>/path/to/trusted/cert2</Certificate>
        <CRL>/path/to/trusted/crl</CRL>
    </ValidationInfo>

</security:TrustEngine>

...

Code Block
xml
titleExample Explicit Key Metadata Signature
xml

<security:TrustEngine xsi:type="security:MetadataExplicitKeySignature"
                      id="UNIQUE_ID"
                      metadataProviderRef="METADATA_PROVIDER_ID" />

...

Code Block
xml
titleExample PKIX Metadata Signature Trust Engine
xml

<security:TrustEngine xsi:type="security:MetadataPKIXSignature"
                      id="UNIQUE_ID"
                      metadataProviderRef="METADATA_PROVIDER_ID" />

...

Code Block
xml
titleExample Static X.509 Credential Trust Engine
xml

<security:TrustEngine xsi:type="security:StaticExplicitKey"
                      id="UNIQUE_ID">

    <Credential xsi:type="X509Filesystem" xmlns="urn:mace:shibboleth:2.0:security"
                id="MyCredential">
        <KeyName>key.example.org</KeyName>
        <PrivateKey password="myKeyPa$$word">/path/to/my/private.key</PrivateKey>
        <Certificate>/path/to/my/public.crt</Certificate>
    </Credential>

</security:TrustEngine>

...

Code Block
xml
titleExample Static PKIX X.509 Trust Engine
xml

<security:TrustEngine xsi:type="security:StaticPKIXX509Credential"
                      id="UNIQUE_ID">

    <TrustedName>CN=idp.example.org,DC=example,DC=org</TrustedName>
    <TrustedName>idp.example.org</TrustedName>
    <TrustedName>https://sp.example.org/shibboleth</TrustedName>

    <ValidationInfo id="UNIQUE_ID" VerifyDepth="5" xsi:type="PKIXFilesystem" xmlns="urn:mace:shibboleth:2.0:security">
        <Certificate>/path/to/trusted/cert1</Certificate>
        <Certificate>/path/to/trusted/cert2</Certificate>
        <CRL>/path/to/trusted/crl</CRL>
    </ValidationInfo>

</security:TrustEngine>

...

Code Block
xml
titleExample Explicit Key Metadata X.509 Credential Trust Engine
xml

<security:TrustEngine xsi:type="security:MetadataExplicitKey"
                      id="UNIQUE_ID"
                      metadataProviderRef="METADATA_PROVIDER_ID" />

...

Code Block
xml
titleExample PKIX Metadata X.509 Credential Trust Engine
xml

<security:TrustEngine xsi:type="security:MetadataPKIXX509Credential"
                      id="UNIQUE_ID"
                      metadataProviderRef="METADATA_PROVIDER_ID" />