The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Key Name Validation

One of the ways Shibboleth can verify that the provider it thinks it's talking to is legitimate is by checking the CN of a presented certificate against metadata. The CN in the certificate must precisely match the metadata for the claimed provider, and the certificate presented must be rooted in a provider that's listed as trusted in the metadata.

To create a keypair and a certificate signing request, use the following two commands. Complete all the fields as appropriate for your CSR. The CN field must be equal to the full domain name of the server, such as www.supervillain.edu , and the others can be completed according to your CA's policy. Once the CSR is complete, it needs to be submitted to a CA for signing. The resulting certificate can be used by the provider.

	openssl genrsa -out myprovider.key 2048
	openssl req -new -key myprovider.key -out myprovider.csr

The corresponding structure in the metadata for this new certificate would be:

	<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
		<ds:KeyName>idp.supervillain.edu</ds:KeyName>
	</ds:KeyInfo>

One or more trusted roots that signed the certificates used within the federation must then also be added so that the certificates can be verified. This is done by placing an Extensions element within the main EntitiesDescriptor element, but before any EntityDescriptor element, such as:

	<Extensions>
		<shibmd:KeyAuthority xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" VerifyDepth="5">
			<!-- Supervillain CA -->
			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:X509Data>
					<ds:X509Certificate>
MIIExzCCA6+gAwIBAgIJAM+MlFr0Sth6MA0GCSqGSIb3DQEBBQUAMIGdMR8wHQYD
VQQDExZTdXBlcnZpbGxhaW46IFRoZSBSb290MQswCQYDVQQGEwJVUzERMA8GA1UE
CBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4GA1UEChMXU3VwZXJ2aWxs
YWluIFVuaXZlcnNpdHkxJzAlBgkqhkiG9w0BCQEWGHBlbmd1aW5Ac3VwZXJ2aWxs
YWluLmVkdTAeFw0wNjA4MTcxOTU5NTNaFw0xMTA4MTYxOTU5NTNaMIGdMR8wHQYD
VQQDExZTdXBlcnZpbGxhaW46IFRoZSBSb290MQswCQYDVQQGEwJVUzERMA8GA1UE
CBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4GA1UEChMXU3VwZXJ2aWxs
YWluIFVuaXZlcnNpdHkxJzAlBgkqhkiG9w0BCQEWGHBlbmd1aW5Ac3VwZXJ2aWxs
YWluLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6uFqas4dK6
A2wTZL0viRQNJrPyFnFBDSZGib/2ijhgzed/vvmZIBM9sFpwahcuR5hvyKUe37/c
/RSZXoNDi/eiNOx4qb0l9UB6bd8qvc4V1PnLE7L+ZYcmwrvTKm4x8qXMgEv1wca2
FPsreHNPdLiTUZ8v0tDTWi3Mgi7y47VTzJaTkcfmO1nL6xAtln5sLdH0PbMM3LAp
T1d3nwI3VdbhqqZ+6+OKEuC8gk5iH4lfrbr6C9bYS6vzIKrotHpZ3N2aIC3NMjJD
PMw/mfCuADfRNlHXgZW+0zyUkwGTMDea8qgsoAMWJGdeTIw8I1I3RhnbgLzdsNQl
b/1ZXx1uJRUCAwEAAaOCAQYwggECMB0GA1UdDgQWBBQe+xSjYTrlfraJARjMxscb
j36jvDCB0gYDVR0jBIHKMIHHgBQe+xSjYTrlfraJARjMxscbj36jvKGBo6SBoDCB
nTEfMB0GA1UEAxMWU3VwZXJ2aWxsYWluOiBUaGUgUm9vdDELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCE5ldyBZb3JrMQ8wDQYDVQQHEwZHb3RoYW0xIDAeBgNVBAoTF1N1
cGVydmlsbGFpbiBVbml2ZXJzaXR5MScwJQYJKoZIhvcNAQkBFhhwZW5ndWluQHN1
cGVydmlsbGFpbi5lZHWCCQDPjJRa9ErYejAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQC4SPBDGYAxfbXd8N5OvG0drM7a5hjXfcCZpiILlPSRpxp79yh7
I5vVWxBxUfolwbei7PTBVy7CE27SUbSICeqWjcDCfjNjiZk6mLS80rm/TdLrHSyM
+Ujlw9MGcBGaLI+sdziDUMtTQDpeAyQTaGVbh1mx5874Hlo1VXqGYNo0RwR+iLfs
x48VuO6GbWVyxtktkE2ypz1KLWiyI056YynydRvuBCBHeRqGUixPlH9CrmeSCP2S
sfbiKnMOGXjIYbvbsTAMdW2iqg6IWa/fgxhvZoAXChM9bkhisJQc0qD0J5TJQwgr
uEyb50RJ7DWmXctSC0b3eymZ2lSXxAWNOsNy
					</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</shibmd:KeyAuthority>
	</Extensions>

The complete simple metadata file would look like:

<EntitiesDescriptor
	 xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
	 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
	 xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
	 xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd
	 urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd
	 http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
	 Name="https://www.supervillain.edu/evil-federation/policy.html"
	 validUntil="2010-01-01T00:00:00Z">

	<!-- This is the metadata for Evil Federation using PKI for trust. -->

	<Extensions>
		<shibmd:KeyAuthority xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" VerifyDepth="5">
			<!-- Supervillain CA -->
			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:X509Data>
					<ds:X509Certificate>
MIIExzCCA6+gAwIBAgIJAM+MlFr0Sth6MA0GCSqGSIb3DQEBBQUAMIGdMR8wHQYD
VQQDExZTdXBlcnZpbGxhaW46IFRoZSBSb290MQswCQYDVQQGEwJVUzERMA8GA1UE
CBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4GA1UEChMXU3VwZXJ2aWxs
YWluIFVuaXZlcnNpdHkxJzAlBgkqhkiG9w0BCQEWGHBlbmd1aW5Ac3VwZXJ2aWxs
YWluLmVkdTAeFw0wNjA4MTcxOTU5NTNaFw0xMTA4MTYxOTU5NTNaMIGdMR8wHQYD
VQQDExZTdXBlcnZpbGxhaW46IFRoZSBSb290MQswCQYDVQQGEwJVUzERMA8GA1UE
CBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4GA1UEChMXU3VwZXJ2aWxs
YWluIFVuaXZlcnNpdHkxJzAlBgkqhkiG9w0BCQEWGHBlbmd1aW5Ac3VwZXJ2aWxs
YWluLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6uFqas4dK6
A2wTZL0viRQNJrPyFnFBDSZGib/2ijhgzed/vvmZIBM9sFpwahcuR5hvyKUe37/c
/RSZXoNDi/eiNOx4qb0l9UB6bd8qvc4V1PnLE7L+ZYcmwrvTKm4x8qXMgEv1wca2
FPsreHNPdLiTUZ8v0tDTWi3Mgi7y47VTzJaTkcfmO1nL6xAtln5sLdH0PbMM3LAp
T1d3nwI3VdbhqqZ+6+OKEuC8gk5iH4lfrbr6C9bYS6vzIKrotHpZ3N2aIC3NMjJD
PMw/mfCuADfRNlHXgZW+0zyUkwGTMDea8qgsoAMWJGdeTIw8I1I3RhnbgLzdsNQl
b/1ZXx1uJRUCAwEAAaOCAQYwggECMB0GA1UdDgQWBBQe+xSjYTrlfraJARjMxscb
j36jvDCB0gYDVR0jBIHKMIHHgBQe+xSjYTrlfraJARjMxscbj36jvKGBo6SBoDCB
nTEfMB0GA1UEAxMWU3VwZXJ2aWxsYWluOiBUaGUgUm9vdDELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCE5ldyBZb3JrMQ8wDQYDVQQHEwZHb3RoYW0xIDAeBgNVBAoTF1N1
cGVydmlsbGFpbiBVbml2ZXJzaXR5MScwJQYJKoZIhvcNAQkBFhhwZW5ndWluQHN1
cGVydmlsbGFpbi5lZHWCCQDPjJRa9ErYejAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQC4SPBDGYAxfbXd8N5OvG0drM7a5hjXfcCZpiILlPSRpxp79yh7
I5vVWxBxUfolwbei7PTBVy7CE27SUbSICeqWjcDCfjNjiZk6mLS80rm/TdLrHSyM
+Ujlw9MGcBGaLI+sdziDUMtTQDpeAyQTaGVbh1mx5874Hlo1VXqGYNo0RwR+iLfs
x48VuO6GbWVyxtktkE2ypz1KLWiyI056YynydRvuBCBHeRqGUixPlH9CrmeSCP2S
sfbiKnMOGXjIYbvbsTAMdW2iqg6IWa/fgxhvZoAXChM9bkhisJQc0qD0J5TJQwgr
uEyb50RJ7DWmXctSC0b3eymZ2lSXxAWNOsNy
					</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</shibmd:KeyAuthority>
	</Extensions>

		<!-- The Supervillain IdP -->

	<EntityDescriptor entityID="https://idp.example.org/shibboleth">
		<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
			<Extensions>
				<!-- It's authoritative for supervillain.edu. -->
				<shibmd:Scope>supervillain.edu</shibmd:Scope>
			</Extensions>

			<KeyDescriptor use="signing">
				<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
					<ds:KeyName>idp.supervillain.edu</ds:KeyName>
				</ds:KeyInfo>
			</KeyDescriptor>
			
			<ArtifactResolutionService index="1"
				Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
				Location="http://idp.example.org:8080/shibboleth-idp/Artifact"/>

			<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

			<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
				 Location="https://idp.example.org/shibboleth-idp/SSO"/>

		</IDPSSODescriptor>
		
		<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
			<Extensions>
				<!-- It's authoritative for supervillain.edu. -->
				<shibmd:Scope>supervillain.edu</shibmd:Scope>
			</Extensions>

			<KeyDescriptor use="signing">
				<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
					<ds:KeyName>idp.supervillain.edu</ds:KeyName>
				</ds:KeyInfo>
			</KeyDescriptor>
			
			<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
				 Location="http://idp.example.org:8080/shibboleth-idp/AA"/>

			<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
		</AttributeAuthorityDescriptor>

		<Organization>
			 <OrganizationName xml:lang="en">The Exalted University of Supervillains</OrganizationName>
			 <OrganizationDisplayName xml:lang="en">Supervillain University</OrganizationDisplayName>
			 <OrganizationURL xml:lang="en">http://www.supervillain.edu/</OrganizationURL>
		</Organization>
		<ContactPerson contactType="technical">
			 <SurName>Norman Osborn</SurName>
			 <EmailAddress>greengoblin@supervillain.edu</EmailAddress>
		</ContactPerson>

	</EntityDescriptor>

		<!-- The main Supervillain web server -->

	<EntityDescriptor entityID="https://www.supervillain.edu/shibboleth/evil-federation/sp">
	
		<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
			<KeyDescriptor use="signing">
				<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
					<ds:KeyName>www.supervillain.edu</ds:KeyName>
				</ds:KeyInfo>
			</KeyDescriptor>

			<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

			<AssertionConsumerService index="1" isDefault="true"
				Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
				Location="https://www.supervillain.edu/Shibboleth.sso/SAML/POST"/>
			<AssertionConsumerService index="2"
				Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
				Location="https://www.supervillain.edu/Shibboleth.sso/SAML/Artifact"/>
		</SPSSODescriptor>

		<Organization>
			 <OrganizationName xml:lang="en">The Exalted University of Supervillains</OrganizationName>
			 <OrganizationDisplayName xml:lang="en">Supervillain University</OrganizationDisplayName>
			 <OrganizationURL xml:lang="en">http://www.supervillain.edu/</OrganizationURL>
		</Organization>
		<ContactPerson contactType="technical">
			 <SurName>Erik Magnus Lehnsherr</SurName>
			 <EmailAddress>magneto@supervillain.edu</EmailAddress>
		</ContactPerson>
		
	</EntityDescriptor>

</EntitiesDescriptor>

%COMMENT%

  • You say here that the operation is "checking the CN of a presented certificate" but my understanding is that it is either the CN or a DN in one of a couple of fixed formats. There was an SP bug that prevented anything but the raw CN being used for an IdP at one point, but I believe that's fixed. I think Scott would recommend the use of CN everywhere nowadays, but the options still exists in practice so it would make sense for it to be documented. -- Main.IanYoung - 30 Aug 2006 18:00:38
  • It's actually possible to match CN, DN in LDAP form (with or without spaces), and URI or DNS subjectAltName. My plan is to append technical reference material to these topics to flesh them out, but for most people, having a simple explanation is better. -- Main.ScottCantor - 31 Aug 2006 23:43:01
  • No labels