Versions Compared

Old Version 16

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tip
When you're done with this primer, read the topic on Shibboleth IdP Keys and Certificates.

Terminology

  • KeyDescriptor : An <md:KeyDescriptor> element in SAML metadataKeyDescriptor of type “signing”: An <md:KeyDescriptor use=”signing”> element in ”signing”> element in SAML metadata

  • KeyDescriptor of type “encryption”: An <md:KeyDescriptor use=”encryption”> element in element in SAML metadata

  • Signing certificate: A public key certificate bound to a KeyDescriptor of type “signing” in SAML metadata. A signing certificate is indistinguishable from a back-channel TLS certificate in metadata.

  • Back-channel TLS certificate: A public key certificate bound to a KeyDescriptor of type “signing” in SAML metadata. A back-channel TLS certificate is indistinguishable from a signing certificate in metadata.

  • Encryption certificate: A public key certificate bound to a KeyDescriptor of type “encryption” in SAML metadata.

  • Credential: A private key plus its corresponding public key certificate.

  • Signing credential: A key pair used for XML Signature. The public key is bound to a signing certificate in metadata. The private key is securely held by the party that signs the XML message.

  • Back-channel TLS credential: A key pair used for back-channel TLS authentication. The public key is bound to a back-channel TLS certificate in metadata. The private key is securely held by the party to be authenticated.

  • Encryption credential: A key pair used for XML Encryption. The public key is bound to an encryption certificate in metadata. The private key is securely held by the party that decrypts the XML message.

...

Code Block
languagebash
titleCreate a private key and certificate
# change these values as needed
$ OUT_DIR=/tmp/credentials
$ LIFETIME=3650 # 10 yrs

# normally, only a back-channel TLS certificate needs a subject name
# but it doesn't hurt to add this to a signing or encryption certificate
$ SUBJECT_NAME='/CN=hostname.example.org'
$ 
LIFETIME=3650 # 10 yrs

# create a 2048-bit key with long-lived, self-signed certificate
$ /usr/bin/openssl req -new -x509 -nodes \
    -newkey rsa:2048 -keyout $OUT_DIR/key.pem \
    -days $LIFETIME -subj $SUBJECT_NAME -out $OUT_DIR/cert.pem

...

Finally, bind the above certificate to an <md:KeyDescriptor>KeyDescriptor use="signing"> element in SAML metadata:

Code Block
languagexml
titleA KeyDescriptor of type "signing"
<md:KeyDescriptor use=”signing”>
  <ds:KeyInfo>
    <ds:X509Data>
      <ds:X509Certificate>
MIIDQjCCAiqgAwIBAgIJAJK/dZim7SJMMA0GCSqGSIb3DQEBBQUAMB8xHTAbBgNV
BAMTFGhvc3RuYW1lLmV4YW1wbGUub3JnMB4XDTE2MDYwNDIyNDIzM1oXDTI2MDYw
MjIyNDIzM1owHzEdMBsGA1UEAxMUaG9zdG5hbWUuZXhhbXBsZS5vcmcwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdqejAit5mKbG/8f+ubyAkYU7kY3cj
WI1qX3+L1la0Gj7LYczMpvSRZFzY9cz3aHSxJF7HrB4YEoMmAffPyrKk2u7YPs8D
ud66hJzI4QLPXEGsg+XiQI7cgOZsGUTunGKA+TD3Jbh20bXA+0FjbwnDICFf9Zrp
U4bn8U283W+sLGlt9DQ6jlIFk3BgyDdSX5DmR63977JCopSgvMFl9MMBFw4DThrS
ewJHrQjKVAaTx+3SAb0Ayn2Ou71fbbhnOUCmuz1aeTeiSknB7EEuUcU549RMUFby
l3c+7Wh3hy/Aqr1fYuSzyGPo57WdG7yu2ql+Nt4z8q6PBAfe6NllINdFAgMBAAGj
gYAwfjAdBgNVHQ4EFgQUNt+dARTHJeFvvvepv5KT2hd2Ph4wTwYDVR0jBEgwRoAU
Nt+dARTHJeFvvvepv5KT2hd2Ph6hI6QhMB8xHTAbBgNVBAMTFGhvc3RuYW1lLmV4
YW1wbGUub3JnggkAkr91mKbtIkwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUF
AAOCAQEAhdE0Z0acuDIV4Lt4+yNTWYt7nXGg32IXX2eX8FF2pXlcw1aDUb+K9hp0
hksx/aL06vlUV13q956p7sR5DjPX69lmfhITh8GCq4HGJJeOoXTHLh1wTmPW1wxE
ZaK9Rqo1qNzjUaOEUNBQrrCOfjIVjIhoNVkKuAnmYPUC91DqV409RY3DwYxUJ0u4
wFi2LajIvGzObKt3GrXc5l2s1uUftW0XnHBF5y+GPXKqeF2rvfl5891vFQsWGMRr
gQRiE3Y2r7kChNE5dju9Okoz+ZdD3K5ScbfnwQKgwgNP/x7WEiVX31h5lB7DCMO2
/rlpQxRvThyojO1B3PyyTnU6IGdRnQ==
      </ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>

The above certificate above is either a signing certificate or a back-channel TLS certificate (or both).