...
Approach 1: Add KeyNames for all entities
This approach involves ensuring that all entities have at least one KeyName
for every KeyDescriptor
that they contain.
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- The top-level entities group containing globally-scoped key authorities. --> <md:EntitiesDescriptor name="allEntities"> <!-- All entities within this EntitiesDescriptor are within the scope of these key authorities. --> <md:Extensions> <shibmd:KeyAuthority> ... </shibmd:KeyAuthority> <shibmd:KeyAuthority> ... </shibmd:KeyAuthority> </md:Extensions> <!-- For clarity, other entities not shown. --> <md:EntityDescriptor entityID="https://www.example1.org/sp"> ... </md:EntityDescriptor> <md:EntityDescriptor entityID="https://www.example2.org/sp"> ... </md:EntityDescriptor> <!-- This entity has a key specified by an X509Data element for use with the explicit key model. A KeyName has been added and it is no longer vulnerable to this issue. --> <md:EntityDescriptor entityID="https://www.example3.org/sp"> <md:SPSSODescriptor> <md:KeyDescriptor> <ds:KeyInfo> <ds:KeyName>www.example3.org</ds:KeyName> <ds:X509Data> ... </ds:X509Data> </ds:KeyInfo> </md:EntityDescriptor> </md:EntitiesDescriptor> |
...