Versions Compared

Old Version 14

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 15

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Terminology

  • KeyDescriptor: An An <md:KeyDescriptor> element in SAML metadata.

  • KeyDescriptor of type “signing”: An <md:KeyDescriptor> element decorated with a KeyDescriptor use=”signing” XML attribute.> element in SAML metadata

  • KeyDescriptor of type “encryption”: An <md:KeyDescriptor> element decorated with a KeyDescriptor use=”encryption” XML attribute.> element in SAML metadata

  • Signing certificate: A public key certificate bound to a KeyDescriptor of type “signing” in SAML metadata. A signing certificate is indistinguishable from a back-channel TLS certificate in metadata.

  • Back-channel TLS certificate: A public key certificate bound to a KeyDescriptor of type “signing” in SAML metadata. A back-channel TLS certificate is indistinguishable from a signing certificate in metadata.

  • Encryption certificate: A public key certificate bound to a KeyDescriptor of type “encryption” in SAML metadata.

  • Credential: A private key plus its corresponding public key certificate.

  • Signing credential: A key pair used for XML Signature. The public key is bound to a signing certificate in metadata. The private key is securely held by the party that signs the XML message.

  • Back-channel TLS credential: A key pair used for back-channel TLS authentication. The public key is bound to a back-channel TLS certificate in metadata. The private key is securely held by the party to be authenticated.

  • Encryption credential: A key pair used for XML Encryption. The public key is bound to an encryption certificate in metadata. The private key is securely held by the party that decrypts the XML message.

...

There are two types of KeyDescriptors in SAML metadata: the signing KeyDescriptor type and the encryption KeyDescriptor type. These KeyDescriptor types correspond to the following metadata elements (resp.):

...

Signing KeyDescriptor Type

The signing KeyDescriptor type corresponds to an <md:KeyDescriptor use=”signing”> element in metadata. The actual key certificate contained by this metadata element is used for message-level signing (i.e., XML Signature) or back-channel TLS authentication (or both).

Encryption KeyDescriptor Type

The encryption KeyDescriptor type corresponds an <md:KeyDescriptor use=”encryption”> element in metadata. The actual key certificate contained by this metadata element is used for message-level encryption (i.e., XML Encryption).

Note
titleThe use XML attribute

According to the SAML metadata schema, the md:KeyDescriptor/@use XML attribute is an optional attribute. An A KeyDescriptor with no use XML attribute such as

<md:KeyDescriptor>

is merely an optimization for a pair of contiguous elements

<md:KeyDescriptor use=”signing”>
<md:KeyDescriptor use=”encryption”>

each with exactly the same content.

...

Info
titleUsing a signing certificate
The term “signing certificate” is a misnomer. A signing certificate in metadata is actually used for signature verification, not signing. The private signing key is held securely by the signing entityparty.
Info
titleUsing an encryption certificate
To illustrate how XML Encryption works, an IdP uses the encryption certificate in SP metadata to encrypt a SAML assertion. The private decryption key is held securely by the SP.

...

Tip
In practice, the only part of the certificate that matters is the public key. A consumer that conforms to the blah specification OASIS SAML V2.0 Metadata Interoperability Profile will completely ignore all other parts of the certificate except the public key. In essence, this This defines a trust model called the Explicit Key Trust Model.

SAML Keys and Certificates

Signing Key and Certificate

A signing credential is a key pair used for XML Signature, which provides authenticity and integrity at the message level. The public key is bound to a signing certificate in metadata. The private key is securely held by the party that signs the XML message.

TLS Key and Certificate

A TLS credential is a key pair used for back-channel TLS authentication, which provides authenticity, integrity, and confidentiality at the transport level. The public key is bound to a back-channel TLS certificate in metadata. The private key is securely held by the party to be authenticated.

Encryption Key and Certificate

By definition, an encryption credential is a key pair used for XML Encryption, which provides authenticity and confidentiality at the message level. The public key is bound to the encryption certificate in metadata. The private key is securely held by the party that decrypts the XML message.

...