Versions Compared

Old Version 38

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There are several levels of SecurityConfiguration objects to control the signing, validation, encryption, and decryption processes. These configurations include things like the keypairs to use, preferred/default algorithms, and algorithm whitelists or blacklists to enforce. The configurations can be derived from the underlying library defaults, a global IdP default, or a per-profile override.

...

The default objects that make up these configurations are defined in system/conf/relying-party-system.xml and are defined to match the defaults in the OpenSAML libraries. You won't need to (and should not) modify these beans, but you might need to copy them into your own files to make changes to them or create an override in particularly advanced cases. More commonly, you can inherit from some of them in order to override specific bits and leave the other defaults in place, which is considerably simpler than creating an entire SecurityConfiguration object from scratch.

You can override the default bean name that is used as a global default by setting the idp.security.config property. That effectively ignores the system-defined objects in favor of something else. You can also override this on a per-profile, per-relying-party basis by adding a p:securityConfiguration-ref attribute to a profile bean.

Finally, the The special/common case of controlling the use of SHA-1 and SHA-256 digest algorithms while signing is simplified because we have predefined beans that toggle between those two algorithms at a global level. But the following is an example to follow if you need to specify the use of SHA-1 instead of SHA-256 for a specific relying party, with a property to switch between them (idp.signing.config).

Similarly, V3.4 adds predefined beans for toggling between two data encryption families, AES-CBC and AES-GCM. The former is widespread and well-supported, and vulnerable to attacks that can reveal the data. The latter is not widely supported but is the only practical algorithm that remains secure. A new property will switch between them globally (idp.encryption.config) but in practice that won't work all that well because so many SPs will not support GCM (though that should be considered broken).

The following is an example (specific to V3.4) to follow if you need to specify the use of SHA-1 instead of SHA-256 for a specific relying party.

Code Block
languagexml
titlePer-Profile Signing Algorithm
collapsetrue
<!-- excerpt of relying-party.xml -->

<util:list id="shibboleth.RelyingPartyOverrides">

  <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sha1only.example.org">
    <property name="profileConfigurations">
        <list>
            <bean parent="Shibboleth.SSO" p:securityConfiguration-ref="shibboleth.SecurityConfiguration.SHA1" />
            <bean parent="SAML1.AttributeQuery" p:securityConfiguration-ref="shibboleth.SecurityConfiguration.SHA1" />
            <bean parent="SAML1.ArtifactResolution" p:securityConfiguration-ref="shibboleth.SecurityConfiguration.SHA1" />
            <bean parent="SAML2.SSO" p:securityConfiguration-ref="shibboleth.SecurityConfiguration.SHA1" />
            <bean parent="SAML2.ECP" p:securityConfiguration-ref="shibboleth.SecurityConfiguration.SHA1" />
            <bean parent="SAML2.Logout" p:securityConfiguration-ref="shibboleth.SecurityConfiguration.SHA1" />
            <bean parent="SAML2.AttributeQuery" p:securityConfiguration-ref="shibboleth.SecurityConfiguration.SHA1" />
            <bean parent="SAML2.ArtifactResolution" p:securityConfiguration-ref="shibboleth.SecurityConfiguration.SHA1" />
        </list>
    </property>
  </bean>

</util:list>

Similarly, you can do the same with encryption for GCM:

Code Block
languagexml
titlePer-Profile Signing Encryption Algorithm
collapsetrue
<!-- excerpt of relying-party.xml -->

<bean id="SHA1SecurityConfig" parent="shibboleth.DefaultSecurityConfiguration"
	p:signatureSigningConfiguration-ref="shibboleth.SigningConfiguration.SHA1" />

 <util of relying-party.xml -->

<util:list id="shibboleth.RelyingPartyOverrides">

  <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sha1only.example.org">
    <property name="profileConfigurations">
        <list>
            <bean parent="Shibboleth.SSO" p:securityConfiguration-ref="SHA1SecurityConfigshibboleth.SecurityConfiguration.GCM" />
            <bean parent="SAML1.AttributeQuery" p:securityConfiguration-ref="SHA1SecurityConfigshibboleth.SecurityConfiguration.GCM" />
            <bean parent="SAML1.ArtifactResolution" p:securityConfiguration-ref="SHA1SecurityConfigshibboleth.SecurityConfiguration.GCM" />
            <bean parent="SAML2.SSO" p:securityConfiguration-ref="SHA1SecurityConfigshibboleth.SecurityConfiguration.GCM" />
            <bean parent="SAML2.ECP" p:securityConfiguration-ref="SHA1SecurityConfigshibboleth.SecurityConfiguration.GCM" />
            <bean parent="SAML2.Logout" p:securityConfiguration-ref="SHA1SecurityConfigshibboleth.SecurityConfiguration.GCM" />
            <bean parent="SAML2.AttributeQuery" p:securityConfiguration-ref="SHA1SecurityConfigshibboleth.SecurityConfiguration.GCM" />
            <bean parent="SAML2.ArtifactResolution" p:securityConfiguration-ref="SHA1SecurityConfigshibboleth.SecurityConfiguration.GCM" />
        </list>
    </property>
  </bean>

</util:list>

...