Versions Compared

Old Version 8

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 9

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note also that the use of encryption in this context is specific to XML Encryption, and for the present, limited to use of SAML 2.0.

Table of Contents

Separate Signing and Encryption Keys

This is the simplest (but also not all that common) case, and is handled by labeling the individual resolvers in the chain with a use property, typically of "signing" or "encryption".

Code Block
xml
xml

<CredentialResolver type="Chaining">
     <CredentialResolver type="File" key="signing.key" certificate="signing.crt" use="signing"/>
     <CredentialResolver type="File" key="decrypt.key" certificate="decrypt.crt" use="encryption"/>
</CredentialResolver>

...

Therefore, combining these issues, if you want to perform rollover of a single keypair for both signing and encryption, you can follow these steps:

  1. Add the a second private key to your SP configuration explicitly as an encryption keya decryption key (use="encryption").
  2. Publish the new corresponding public key in your metadata and wait for propagation.
  3. Switch the encryption usage constraint in the SP configuration from the new key to the old key.
  4. Remove the old public key from the metadata and wait for propagation.
  5. Remove the old private key from your SP configuration.

As an example, if you start here:

Code Block
xml
xml

<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

Then the configuration after step 1 might be:

Code Block
xml
xml

<CredentialResolver type="Chaining">
     <CredentialResolver type="File" key="new-key.pem" certificate="new-cert.pem" use="encryption"/>
     <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</CredentialResolver>

After step 3:

Code Block
xml
xml

<CredentialResolver type="Chaining">
     <CredentialResolver type="File" key="new-key.pem" certificate="new-cert.pem"/>
     <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem" use="encryption"/>
</CredentialResolver>

And after step 5:

Code Block
xml
xml

<CredentialResolver type="File" key="new-key.pem" certificate="new-cert.pem"/>

...

Code Block
xml
titleExample using certificate subject as keyName
xml

<ApplicationDefaults ...>
    ...
    <Errors .../>
    <RelyingParty Name="https://idp.example.org/idp/shibboleth" keyName="trusted.example.org"/>
    ...
    <CredentialResolver type="Chaining">
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
        <CredentialResolver type="File" key="trusted-key.pem" certificate="trusted-cert.pem"/>
    </CredentialResolver>
</ApplicationDefaults>

...

Code Block
xml
titleExample using locally chosen keyName
xml

<ApplicationDefaults ...>
    ...
    <Errors .../>
    <RelyingParty Name="https://idp.example.org/idp/shibboleth" keyName="Special"/>
    ...
    <CredentialResolver type="Chaining">
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
        <CredentialResolver type="File" key="trusted-key.pem" certificate="trusted-cert.pem" keyName="Special"/>
    </CredentialResolver>
</ApplicationDefaults>