Versions Compared

Old Version 19

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Additionally the trust engine contains one or more IdP credentials.

Code Block
xml
xml
titleExample Explicit Key Static Signature Trust Enginexml
<security:TrustEngine xsi:type="security:StaticExplicitKeySignature"
                      id="UNIQUE_ID">

    <Credential xsi:type="X509Filesystem" xmlns="urn:mace:shibboleth:2.0:security"
                id="MyCredential">
        <KeyName>key.example.org</KeyName>
        <PrivateKey password="myKeyPa$$word">/path/to/my/private.key</PrivateKey>
        <Certificate>/path/to/my/public.crt</Certificate>
    </Credential>

</security:TrustEngine>

...

The trust engine may then contain a single, optional ValidationOptions element.

Code Block
xml
xml
titleExample Static PKIX Signature Trust Enginexml
<security:TrustEngine xsi:type="security:StaticPKIXSignature"
                      id="UNIQUE_ID">

    <TrustedName>CN=idp.example.org,DC=example,DC=org</TrustedName>
    <TrustedName>idp.example.org</TrustedName>
    <TrustedName>https://sp.example.org/shibboleth</TrustedName>

    <ValidationInfo id="UNIQUE_ID" VerifyDepth="5" xsi:type="PKIXFilesystem" xmlns="urn:mace:shibboleth:2.0:security">
        <Certificate>/path/to/trusted/cert1</Certificate>
        <Certificate>/path/to/trusted/cert2</Certificate>
        <CRL>/path/to/trusted/crl</CRL>
    </ValidationInfo>

</security:TrustEngine>

...

  • id - gives the trust engine a unique, within the relying party configuration, identifier which may be used by other components to refer to the engine
  • metadataProviderRef - the ID of the metadata provider that contains the trusted metadata
Code Block
xml
xml
titleExample Explicit Key Metadata Signaturexml
<security:TrustEngine xsi:type="security:MetadataExplicitKeySignature"
                      id="UNIQUE_ID"
                      metadataProviderRef="METADATA_PROVIDER_ID" />

...

The trust engine may then contain a single, optional ValidationOptions element.

Code Block
xml
xml
titleExample PKIX Metadata Signature Trust Enginexml
<security:TrustEngine xsi:type="security:MetadataPKIXSignature"
                      id="UNIQUE_ID"
                      metadataProviderRef="METADATA_PROVIDER_ID" />

...

Additionally the trust engine contains one or more IdP credentials.

Code Block
xml
xml
titleExample Static X.509 Credential Trust Enginexml
<security:TrustEngine xsi:type="security:StaticExplicitKey"
                      id="UNIQUE_ID">

    <Credential xsi:type="X509Filesystem" xmlns="urn:mace:shibboleth:2.0:security"
                id="MyCredential">
        <KeyName>key.example.org</KeyName>
        <PrivateKey password="myKeyPa$$word">/path/to/my/private.key</PrivateKey>
        <Certificate>/path/to/my/public.crt</Certificate>
    </Credential>

</security:TrustEngine>

...

The trust engine may then contain a single, optional ValidationOptions element.

Code Block
xml
xml
titleExample Static PKIX X.509 Trust Enginexml
<security:TrustEngine xsi:type="security:StaticPKIXX509Credential"
                      id="UNIQUE_ID">

    <TrustedName>CN=idp.example.org,DC=example,DC=org</TrustedName>
    <TrustedName>idp.example.org</TrustedName>
    <TrustedName>https://sp.example.org/shibboleth</TrustedName>

    <ValidationInfo id="UNIQUE_ID" VerifyDepth="5" xsi:type="PKIXFilesystem" xmlns="urn:mace:shibboleth:2.0:security">
        <Certificate>/path/to/trusted/cert1</Certificate>
        <Certificate>/path/to/trusted/cert2</Certificate>
        <CRL>/path/to/trusted/crl</CRL>
    </ValidationInfo>

</security:TrustEngine>

...

  • id - gives the trust engine a unique, within the relying party configuration, identifier which may be used by other components to refer to the engine
  • metadataProviderRef - the ID of the metadata provider that contains the trusted metadata
Code Block
xml
xml
titleExample Explicit Key Metadata X.509 Credential Trust Enginexml
<security:TrustEngine xsi:type="security:MetadataExplicitKey"
                      id="UNIQUE_ID"
                      metadataProviderRef="METADATA_PROVIDER_ID" />

...

The trust engine may then contain a single, optional ValidationOptions element.

Code Block
xml
xml
titleExample PKIX Metadata X.509 Credential Trust Enginexml
<security:TrustEngine xsi:type="security:MetadataPKIXX509Credential"
                      id="UNIQUE_ID"
                      metadataProviderRef="METADATA_PROVIDER_ID" />