...
Code Block |
---|
|
<CredentialResolver type="File" key="new-key.pem" certificate="new-cert.pem"/>
|
...
Note |
---|
The above examples are not meant to be taken literally. If your files go by different names, live in non-default locations, then you will obviously need to adjust. Also take care as to whether one or both of your private keys has been encrypted on disk. You may need to supply a password attribute in your elements to load the key. In all cases CHECK YOUR LOGS any time you are manipulating keys. You MUST ensure that all keys are loading correctly and that no errors are being logged during normal use. |
The above process is suitable for cases in which the metadata's <md:KeyDescriptor>
elements do not carry a use
XML attribute and there is no opportunity to introduce such a use
attribute into metadata. Other approaches may be more suitable for non-Shibboleth implementations.
...
- Configure both credentials together in a chain.
- Add one or more
<RelyingParty>
elements in the appropriate spot with a keyName
property that matches the "CN" from the desired credential's certificate subject (or that matches a subjectAltName).
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example using certificate subject as keyNamexml |
---|
|
<ApplicationDefaults ...>
...
<Errors .../>
<RelyingParty Name="https://idp.example.org/idp/shibboleth" keyName="trusted.example.org"/>
...
<CredentialResolver type="Chaining">
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
<CredentialResolver type="File" key="trusted-key.pem" certificate="trusted-cert.pem"/>
</CredentialResolver>
</ApplicationDefaults>
|
If you find that each candidate credential shares essentially the same certificate subject information, then you can use a locally-chosen name in your <RelyingParty>
element and add the same value to a keyName
attribute or <Name>
element in the <CredentialResolver>
.
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example using locally chosen keyNamexml |
---|
|
<ApplicationDefaults ...>
...
<Errors .../>
<RelyingParty Name="https://idp.example.org/idp/shibboleth" keyName="Special"/>
...
<CredentialResolver type="Chaining">
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
<CredentialResolver type="File" key="trusted-key.pem" certificate="trusted-cert.pem" keyName="Special"/>
</CredentialResolver>
</ApplicationDefaults>
|