...
Approach 1: Add KeyNames for all entities
This approach involves ensuring that all entities have at least one KeyName for every KeyDescriptor that they contain.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!-- The top-level entities group containing globally-scoped key authorities. -->
<md:EntitiesDescriptor name="allEntities">
<!-- All entities within this EntitiesDescriptor are within the scope of these key authorities. -->
<md:Extensions>
<shibmd:KeyAuthority> ... </shibmd:KeyAuthority>
<shibmd:KeyAuthority> ... </shibmd:KeyAuthority>
</md:Extensions>
<!-- For clarity, other entities not shown. -->
<md:EntityDescriptor entityID="https://www.example1.org/sp"> ... </md:EntityDescriptor>
<md:EntityDescriptor entityID="https://www.example2.org/sp"> ... </md:EntityDescriptor>
<!-- This entity has a key specified by an X509Data element for use with the explicit key model.
A KeyName has been added and it is no longer vulnerable to this issue. -->
<md:EntityDescriptor entityID="https://www.example3.org/sp">
<md:SPSSODescriptor>
<md:KeyDescriptor>
<ds:KeyInfo>
<ds:KeyName>www.example3.org</ds:KeyName>
<ds:X509Data> ... </ds:X509Data>
</ds:KeyInfo>
</md:EntityDescriptor>
</md:EntitiesDescriptor> |
...