...
The IdP has two types of trust engines. Signature trust engines which are used to validate a digital signature and ensure that the credentials used to create the such signature are trusted, and credential trust engines which are used to ensure that the credentials used by a service provider to connect to the IdP are valid and trusted. What it means to be trusted depends on the exact trust engine used.
...
Code Block |
---|
| xml |
---|
title | Example Explicit Key Static Signature Trust Engine |
---|
| xml |
---|
|
<security:TrustEngine xsi:type="security:StaticExplicitKeySignature"
id="UNIQUE_ID">
<Credential xsi:type="X509Filesystem" xmlns="urn:mace:shibboleth:2.0:security"
id="MyCredential">
<KeyName>key.example.org</KeyName>
<PrivateKey password="myKeyPa$$word">/path/to/my/private.key</PrivateKey>
<Certificate>/path/to/my/public.crt</Certificate>
</Credential>
</security:TrustEngine>
|
...
Code Block |
---|
| xml |
---|
title | Example Static PKIX Signature Trust Engine |
---|
| xml |
---|
|
<security:TrustEngine xsi:type="security:StaticPKIXSignature"
id="UNIQUE_ID">
<TrustedName>CN=idp.example.org,DC=example,DC=org</TrustedName>
<TrustedName>idp.example.org</TrustedName>
<TrustedName>https://sp.example.org/shibboleth</TrustedName>
<ValidationInfo id="UNIQUE_ID" VerifyDepth="5" xsi:type="PKIXFilesystem" xmlns="urn:mace:shibboleth:2.0:security">
<Certificate>/path/to/trusted/cert1</Certificate>
<Certificate>/path/to/trusted/cert2</Certificate>
<CRL>/path/to/trusted/crl</CRL>
</ValidationInfo>
</security:TrustEngine>
|
...
Code Block |
---|
| xml |
---|
title | Example Explicit Key Metadata Signature |
---|
| xml |
---|
|
<security:TrustEngine xsi:type="security:MetadataExplicitKeySignature"
id="UNIQUE_ID"
metadataProviderRef="METADATA_PROVIDER_ID" />
|
...
Code Block |
---|
| xml |
---|
title | Example PKIX Metadata Signature Trust Engine |
---|
| xml |
---|
|
<security:TrustEngine xsi:type="security:MetadataPKIXSignature"
id="UNIQUE_ID"
metadataProviderRef="METADATA_PROVIDER_ID" />
|
...
Code Block |
---|
| xml |
---|
title | Example Static X.509 Credential Trust Engine |
---|
| xml |
---|
|
<security:TrustEngine xsi:type="security:StaticExplicitKey"
id="UNIQUE_ID">
<Credential xsi:type="X509Filesystem" xmlns="urn:mace:shibboleth:2.0:security"
id="MyCredential">
<KeyName>key.example.org</KeyName>
<PrivateKey password="myKeyPa$$word">/path/to/my/private.key</PrivateKey>
<Certificate>/path/to/my/public.crt</Certificate>
</Credential>
</security:TrustEngine>
|
...
Code Block |
---|
| xml |
---|
title | Example Static PKIX X.509 Trust Engine |
---|
| xml |
---|
|
<security:TrustEngine xsi:type="security:StaticPKIXX509Credential"
id="UNIQUE_ID">
<TrustedName>CN=idp.example.org,DC=example,DC=org</TrustedName>
<TrustedName>idp.example.org</TrustedName>
<TrustedName>https://sp.example.org/shibboleth</TrustedName>
<ValidationInfo id="UNIQUE_ID" VerifyDepth="5" xsi:type="PKIXFilesystem" xmlns="urn:mace:shibboleth:2.0:security">
<Certificate>/path/to/trusted/cert1</Certificate>
<Certificate>/path/to/trusted/cert2</Certificate>
<CRL>/path/to/trusted/crl</CRL>
</ValidationInfo>
</security:TrustEngine>
|
...
Code Block |
---|
| xml |
---|
title | Example Explicit Key Metadata X.509 Credential Trust Engine |
---|
| xml |
---|
|
<security:TrustEngine xsi:type="security:MetadataExplicitKey"
id="UNIQUE_ID"
metadataProviderRef="METADATA_PROVIDER_ID" />
|
...
Code Block |
---|
| xml |
---|
title | Example PKIX Metadata X.509 Credential Trust Engine |
---|
| xml |
---|
|
<security:TrustEngine xsi:type="security:MetadataPKIXX509Credential"
id="UNIQUE_ID"
metadataProviderRef="METADATA_PROVIDER_ID" />
|