File(s): conf/credentials.xml, conf/relying-party.xml, conf/idp.properties
Format: Native Spring, Property files.
Overview
There are multiple aspects of configuration that fall under the heading of security:
credentials (keys and certificates)
configuration and control of algorithms to use for signing or encryption (as well as verifying signatures and decryption)
"TrustEngines" used to evalate signatures and certificates during message processing
other steps that run during profile execution to evaluate messages
All of these settings are associated with profile or relying party behavior, so most of them are configured as part of the more general RelyingPartyConfiguration service, and as such are reloaded when that service is reloaded.
General Topics
Reference
Notes
The IdP defaults to the use of separate keypairs for signing and decryption, the latter being a capability that is rarely used at present and primarily comes into play only when processing <LogoutRequest> messages that contain an encrypted subject ID.
The default algorithms used have been updated to:
RSA or ECDSA (depending on key type) with SHA-256 digests
AES-CBC-128 with RSA-OAEP-MGF1 key transport
The IdP also supports a standardized SAML metadata extension that influences the algorithms it will use, based on the capabilities of the SP. For metadata under your control, using the extension to specify that SHA-1 is required is generally a better strategy than specifying it in a RelyingParty override, but often this isn't possible. We encourage deployers to ask their metadata sources (i.e., federations) about this capability, as it is critically important for dealing with future algorithm weaknesses that may emerge over time.