Versions Compared

Version Old Version 9 New Version 10
Changes made by

Scott Cantor

Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The first thing you have to understand is the different types of keys involved in operating the IdP. A more deep dive into this can be found in the SecurityAndNetworking topics in the IdP documentation. This is a briefer overview.

...

Once that’s done, the goal of my approach is to curate SP metadata such that any SPs in “the rest” bucket are tagged with an EntityAttribute extension that identifies which key they are currently using by pointing to the IdP SecurityConfiguration bean that contains that key. The name of that bean is the value of the tag, and the IdP’s MetadataDrivenConfiguration feature is used to tell the IdP which configuration bean, and thus which key, to use for that SP. What this does is “lock” those SPs to use a specific key so that the default key (which is broadly published via federation metadata) can be changed without causing the new key to immediately be used for SPs that are broken. In this manner, you can automatically rotate the key for any SPs that can handle that while deferring the rest for the long, manual, painful trek of getting them all updated.

...

Note that, yes, you can do this by adopting the “full” metadata-driven configuration approach and using the “.MDDriven”-suffixed beans mentioned in the MetadataDrivenConfigurationtopic. That lookup strategy bean is actually just the same bean that’s inside the system wiring for that feature. I show it this way because it’s much faster to only wire up support for tags you intend to use then to whole hog force every setting to route into the metadata, and well, I know how, so that’s what I did.

...

The other case is federation metadata, preventing direct control. For these cases, you must use the EntityAttributesFilter to attach the tag at runtime. This is where brute force enumeration of the SPs comes into play. This example would typically live inside a <MetadataProvider> element, but it is possible to maintain them externally in a separate file by means of the ByReferenceFilterfeature.

Code Block
          <!-- Locked to newer signing key. -->
          <MetadataFilter xsi:type="EntityAttributes">
            <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://shibboleth.net/ns/profiles/securityConfiguration">
              <saml:AttributeValue>osu.SecurityConfig.2019</saml:AttributeValue>
            </saml:Attribute>

            <Entity>https://sp.example.org</Entity>
            <Entity>https://another.example.org/sp</Entity>
          </MetadataFilter>

...