Versions Compared

Old Version 1

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version Current

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Overview

Identified by type="KeyDescriptor", this attribute extractore this AttributeExtractor allows the signing/TLS or encryption keys advertised in an IdP's metadata to be exposed as attributes within the SP. This plugin executes only when extraction of an <md:RoleDescriptor> (or one of its concrete subtypes) is done, which is dependent on the use of the metadataAttributePrefix application setting<ApplicationDefaults> setting.

Any public keys that apply (see below) are encoded as DER, using the SubjectPublicKeyInfo encoding commonly used in certificates, and then base64-encoded. At least

Reference

Attributes

The following XML attributes are supported to control extraction (one of the two attributes below must be specified.

...

first three MUST be set):

Name

Type

Default

Description

signingId

string


If set, public keys marked for signing or TLS authentication will be placed into an SP attribute with the specified name.

encryptionId

string


If set, public keys valid for encryption will be placed into an SP attribute with the specified name.

hashId

string


If set, public keys marked for signing or TLS authentication will be placed into an attribute with the specified name. The DER-encoded keys are hashed before being base64-encoded.

hashAlg 

string

"SHA1"

Optional name of hashing algorithm to use if

the hashId setting

the hashId setting is used. The algorithm names to use here are dependent on the cryptographic library that supplies the hashing. In the case of OpenSSL, they're simple names like "SHA1" or "SHA256"

Example

...

Code Block
language

...

xml
<AttributeExtractor type="KeyDescriptor" hashId="hashed-keys" hashAlg="SHA256" />