Versions Compared

Old Version 19

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 20

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleRemote JWKS

You can reference a JWKS (as in the other JWKS example) remotely via a URI. This is analagous to a rarely used (because of security, obviously) technique of remotely referencing certificates.

Code Block
languagexml
<md:KeyDescriptor>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>mockJwkId</ds:KeyName>
        <oidcmd:JwksUri>https://example.org/jwks</oidcmd:JwksUri>
	</ds:KeyInfo>
</md:KeyDescriptor>

Client Secret Resolution

Client secrets, which are effectively either passwords or symmetric keys, are not something natively understood by SAML metadata, so extensions are defined to support them in one of the following ways.

...

Expand
titleBy Reference

Support also exists for indirectly referencing client secrets and resolving them at runtime separately. The metadata syntax is simply:

Code Block
languagexml
<md:KeyDescriptor>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <oidcmd:ClientSecretKeyReference>secretReference1</oidcmd:ClientSecretKeyReference>
	</ds:KeyInfo>
</md:KeyDescriptor>

The reference string is just a label that has to correspond to some external source.

Actually resolving secrets by reference requires one or more resolution beans be supplied in a list named shibboleth.oidc.ClientSecretValueResolvers, which does not exist by default.

There are two built-in types of resolvers.

Property-Based Resolution

Client secrets can be placed in a Java properties file (the keys are the labels used in the metadata reference and the values are the secrets). You can supply any number of such sources in the resolver list, generally in conf/global.xml. Each source is defined using a parent bean named shibboleth.oidc.PropertiesClientSecretValueResolver:

Code Block
<util:list id="shibboleth.oidc.ClientSecretValueResolvers">
	<bean parent="shibboleth.oidc.PropertiesClientSecretValueResolver"
		p:resource="%{idp.home}/credentials/client-secrets.properties" />
</util:list>

Attribute Resolver Resolution

A "generic" solution to resolving secrets is provided by means of leveraging the AttributeResolver to resolve the secret. The parent bean named shibboleth.oidc.ResolverServiceClientSecretValueResolver along with a set of attribute IDs will invoke the resolver and attempt to find a string value amongst them to return. During the resolution process, the "principal" variable is populated with the client secret reference label.

Code Block
<util:list id="shibboleth.oidc.ClientSecretValueResolvers">
	<bean parent="shibboleth.oidc.ResolverServiceClientSecretValueResolver"
		p:attributeIds="ClientSecretAttribute" />
</util:list>

To simplify the configuration of the resolver, you may conditionalize connectors by attaching a resolutionPhases attribute set to "ResolverServiceClientSecretValueResolver", causing them to run only during this special case. You can also set excludeResolutionPhases to invert the check for other connectors.

Hashed Secrets 3.1

If a secret value is prefixed by “{SHA2}”, then the supplied secret is hashed (with SHA-256) and base64-encoded before comparing it to the rest of the secret string. This is an unsalted hash so is not really suitable for exposing to offline attacks but is at least obsfuscated.

Reference

Beans

Name / Type

Description

shibboleth.oidc.ClientSecretValueResolvers

List<net.shibboleth.oidc.metadata.ClientSecretValueResolver>

List of client secret resolvers to apply to any <oidcmd:ClientSecretKeyReference> elements in SAML metadata

shibboleth.oidc.PropertiesClientSecretValueResolver

net.shibboleth.oidc.metadata.impl.PropertiesClientSecretValueResolver

A resolver that looks for secrets in a Java properties file set via the resource bean property

shibboleth.oidc.ResolverServiceClientSecretValueResolver

net.shibboleth.oidc.metadata.impl.ResolverServiceClientSecretValueResolver

A resolver that executes the AttributeResolver to resolve one or more client secrets via attributes set via the attributeIds bean property

...