Overview
The "basics" of configuring security are covered under the initial setup tab, with the generation of JWK keys to use and the import of conf/oidc-credentials.xml into conf/credentials.xml to auto-configure the new keys based on a set of properties.
...
The three properties (in conf/oidc.properties) that load the default keys and their default values are:
idp.signing.oidc.rs.key - %{idp.home}/credentials/idp-signing-rs.jwk
idp.signing.oidc.es.key -%{idp.home}/credentials/idp-signing-es.jwk
idp.signing.oidc.rsa.enc.key - %{idp.home}/credentials/idp-encryption-rsa.jwk
You will find these properties used in conf/oidc-credentials.xml along with additional beans that reference these credentials in the various lists and additional commented beans that allow the use/publish distinction. In most cases you won't need to touch this very much.
The truly essential beans are:
These are lists that enumerate the actual keys the system will try to use at runtime.
In turn, you MAY define lists:
These control what discovery requests to the OP will see.
...
At a very high level there's a lot of overlap between the way security behavior can be customized for OIDC and the original IdP documentation on SecurityConfiguration. However because the algorithms used are somewhat different, there are different underlying default beans used to control the behavior of the OIDC profile flows.
As an advanced example, the documentation and built-in defaults expect the EC key to be a 256-bit key that supports only a subset of possible signing algorithms. If you had a RP that required the ES512 algorith, a P-521 key would be needed, which you would need to generate and define in conf/oidc-credentials.xml:
...
conf/oidc-credentials.xml
| Code Block |
|---|
|
<bean id="shibboleth.oidc.SpecialSigningCredential" parent="shibboleth.JWKCredential"
p:resource="%{idp.home}/credentials/my-idp-signing-ec521.jwk" /> |
Then you would need to define a new configuration bean and apply it to a RP profile in conf/relying-party.xml:
...
conf/relying-party.xml
| Code Block |
|---|
|
<bean id="SpecialSecurityConfig" parent="shibboleth.oidc.DefaultSecurityConfiguration">
<property name="signatureSigningConfiguration">
<bean parent="shibboleth.BasicSignatureSigningConfigurationoidc.SigningConfiguration"
p:signingCredentials-ref="shibboleth.oidc.SpecialSigningCredential">
<property name="signatureAlgorithms">
<list>
<util:constant static-field="net.shibboleth.oidc.jwa.support.SignatureConstants.ALGO_ID_SIGNATURE_ES_512" />
</list>
</property>
</bean>
</property>
</bean>
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://needy.rp.example.org">
<property name="profileConfigurations">
<list>
<bean parent="OIDC.SSO" p:securityConfiguration-ref="SpecialSecurityConfig" />
</list>
</property>
</bean> |
...
| Expand |
|---|
|
Security-related properties in conf/oidc.properties: Default | Description |
|---|
idp.signing.oidc.rs.key | JWK file pathname | JWK RSA signing keypair | idp.signing.oidc.es.key | JWK file pathname | JWK EC signing keypair | idp.signing.oidc.rsa.enc.key | JWK file pathname | JWK RSA decryption keypair | idp.oidc.signing.config |
Bean ID | shibboleth.oidc.SigningConfiguration | Bean ID | Allows override of default signing configuration | idp.oidc.encryption.config |
Bean ID | shibboleth.oidc.EncryptionConfiguration | Bean ID | Allows override of default encryption configuration | idp.oidc. |
rodecryptBean ID | requestObjectDecryptionConfigurationDecryptionConfiguration | Bean ID | Allows override of default |
request decryption configuration | idp.oidc. |
rovalidBean ID | requestObjectSignatureValidationConfigurationAllows override of default request signature validation configuration | idp.oidc.rovalid.config | Bean ID | shibboleth.oidc.tokenEndpointJwtSignatureValidationConfigurationSignatureValidationConfiguration | Bean ID | Allows override of default |
JWT token signature validation configuration |
|
| Expand |
|---|
|
Beans defined in conf/oidc-credentials.xml or internally for use in conf/relying-party.xml: Name / Type | Description |
|---|
shibboleth.JWKCredential |
net.shibboleth.idp.plugin.oidc.op.profile.spring.factory.BasicJWKCredentialFactoryBean | Spring factory bean for easy definition of JWK-formatted credentials | shibboleth.oidc.DefaultRSSigningCredential Credential | Default RSA signing keypair used with OIDC | shibboleth.oidc.DefaultESSigningCredential Credential | Default EC signing keypair used with OIDC | shibboleth.oidc.DefaultRSAEncryptionCredential Credential | Default RSA decryption keypair used with OIDC | shibboleth.oidc.SigningCredentials List<Credential> | List of signing keys available for use with OIDC | shibboleth.oidc.EncryptionCredentials List<Credential> | List of encryption keys available for use in decryption with OIDC | shibboleth.oidc.SigningCredentialsToPublish List<Credential> | List of signing keys to publish to RPs with OIDC | shibboleth.oidc.EncryptionCredentialsToPublish List<Credential> | List of encryption keys to publish to RPs with OIDC | shibboleth.oidc.DefaultSecurityConfiguration |
SecurityConfigurationEncryptionConfigurationrequestObjectDecryptionConfigurationEncryptionConfiguration request decryptionshibboleth.oidc.requestObjectSignatureValidationConfiguration BasicSignatureSigningConfiguration | Default signature validation behavior for OIDC request signatures | shibboleth.oidc.tokenEndpointJwtSignatureValidationConfiguration BasicSignatureSigningConfiguration | Default signature validation behavior for validating JWTs used as endpoint credentials |