...
Expand | |||||
---|---|---|---|---|---|
| |||||
You can reference a JWKS (as in the other JWKS example) remotely via a URI. This is analagous to a rarely used (because of security, obviously) technique of remotely referencing certificates.
|
Client Secret Resolution
Client secrets, which are effectively either passwords or symmetric keys, are not something natively understood by SAML metadata, so extensions are defined to support them in one of the following ways.
...
Expand | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
Support also exists for indirectly referencing client secrets and resolving them at runtime separately. The metadata syntax is simply:
The reference string is just a label that has to correspond to some external source. Actually resolving secrets by reference requires one or more resolution beans be supplied in a list named shibboleth.oidc.ClientSecretValueResolvers, which does not exist by default. There are two built-in types of resolvers. Property-Based ResolutionClient secrets can be placed in a Java properties file (the keys are the labels used in the metadata reference and the values are the secrets). You can supply any number of such sources in the resolver list, generally in conf/global.xml. Each source is defined using a parent bean named shibboleth.oidc.PropertiesClientSecretValueResolver:
Attribute Resolver ResolutionA "generic" solution to resolving secrets is provided by means of leveraging the AttributeResolver to resolve the secret. The parent bean named shibboleth.oidc.ResolverServiceClientSecretValueResolver along with a set of attribute IDs will invoke the resolver and attempt to find a string value amongst them to return. During the resolution process, the "principal" variable is populated with the client secret reference label.
To simplify the configuration of the resolver, you may conditionalize connectors by attaching a |
Hashed Secrets 3.1
If a secret value is prefixed by “{SHA2}”, then the supplied secret is hashed (with SHA-256) and base64-encoded before comparing it to the rest of the secret string. This is an unsalted hash so is not really suitable for exposing to offline attacks but is at least obsfuscated.
Reference
Beans
Name / Type | Description |
---|---|
shibboleth.oidc.ClientSecretValueResolvers List<net.shibboleth.oidc.metadata.ClientSecretValueResolver> | List of client secret resolvers to apply to any |
shibboleth.oidc.PropertiesClientSecretValueResolver net.shibboleth.oidc.metadata.impl.PropertiesClientSecretValueResolver | A resolver that looks for secrets in a Java properties file set via the |
shibboleth.oidc.ResolverServiceClientSecretValueResolver net.shibboleth.oidc.metadata.impl.ResolverServiceClientSecretValueResolver | A resolver that executes the AttributeResolver to resolve one or more client secrets via attributes set via the |
...