The <CredentialResolver>
element configures the component that provides the SP with access to public and private keys and certificates, or credentials. Keys are used to sign messages sent to IdPs and to decrypt data sent to the SP.
The credentials used by an SP MUST correspond to those supplied to relying parties and federations in the SP's metadata, or trust failures will result. |
The SP web server manages its own keys and certificates to establish TLS/SSL connections with browser users. While it is technically possible for the SP software to use the same keypair and certificate used by the web server itself, this is generally not a good idea. Also note that in the current implementation, only the shibd
process needs to access the SP's credentials, so the web server does not need any special access.
type
(string)
Indicated by type="File"
, loads keys and certificates stored in files using common formats. PEM, DER, and PKCS#12 are supported.
The following two examples are equivalent:
<CredentialResolver type="File" key="/etc/shibboleth/sp.key" certificate="/etc/shibboleth/sp.crt"/> |
<CredentialResolver type="File"> <Key> <Path>/etc/shibboleth/sp.key</Path> </Key> <Certificate> <Path>/etc/shibboleth/sp.crt</Path> </Certificate> </CredentialResolver> |
certificate
(local pathname)
<Certificate>
element (see below) whose <Path>
element contains the value of the attribute.key
(local pathname)
<Key>
element (see below) whose <Path>
element contains the value of the attribute.password
(string)
key
shorthand attribute is used.keyName
(string)
key
shorthand attribute is used. See the <Name>
element below.use
(one of "signing", "encryption", or "TLS")
keyInfoMask
(integer bitmask) (defaults to 15) (Version 2.1 and Above)
extractNames
(boolean) (defaults to true) (Version 2.3.1 and Above)
<Key>
password
(string)
format
("PEM", "DER", or "PKCS12")
<Path>
<Name>
(zero or more)
<ds:KeyInfo>
element included in XML messages to assist relying parties in identifying which key was used.<Certificate>
password
(string)
format
("PEM", "DER", or "PKCS12")
<Path>
<Path>
elements.<CAPath>
(zero or more)
<CRL>
format
("PEM", "DER")
<Path>
<Path>
elements.Version 2.2 and Above
As of version 2.2, the plugin has been rewritten and enhanced with additional capabilities for reloading file-based credentials after changes, and loading remote URLs to disk before use. The following additional attributes and elements can be used on each of the <Key>
, <Certificate>
, and <CRL>
child elements above.
backingFilePath
(local pathname)
<URL>
element below is used, this attribute is required in order to provide a location at which the resource at the URL will be stored.reloadChanges
(boolean, defaults to "true")
<Path>
element is used, controls whether changes to the file are detected in order to reload the information.reloadInterval
(time in seconds, defaults to zero)
<URL>
element below is used, indicates the maximum elapsed time in seconds after which the URL will be downloaded again.<URL>
(zero or more)
Path
element containing the URL at which the credential information can be found.In the case of certificates and CRLs, multiple <Path>
and <URL>
elements can appear, including a mixture of the two, as required.
Indicated by type="Chaining"
, allows multiple sources of credentials to be queried in sequence.
With V2.4 and above, this is implied by any configuration with multiple <CredentialResolver>
elements, so is no longer explicitly needed.
Primarily used to allow different keys and certificates to be used based on the identity provider. While this works in some situations, it can be complex to get working, and it's strongly advisable for SPs to maintain a single set of credentials to use for all interactions.
When chaining Filesystem resolvers, you will need to assign "names" to each keypair using the keyName
attribute or <Name>
element for later selection using the <RelyingParty>
's keyName
attribute. Generally this should be the "CN" from the X.509 Subject, or a subjectAltName value, that uniquely differentiates the certificates.
A simple example follows, but for more details, see the NativeSPMultipleCredentials topic.
<CredentialResolver type="Chaining"> <CredentialResolver type="File" key="sp.key" certificate="sp.crt" keyName="default.example.org"/> <CredentialResolver type="File" key="special.key" certificate="special.crt" keyName="special.example.org"/> </CredentialResolver> |
<CredentialResolver>
(one or more)