The IdP uses credentials to perform various cryptographic functions (message signing, server/client authenticated TLS connections, encryption, etc.). Credentials are defined in the $IDP_HOME/config/relying-party.xml file and are defined as follows.
If you want to regenerate an IdP's credential, see IdPCertRenew.
The IdP may have any number of credentials. All credentials are defined after the MetadataProvider element in the relying-party.xml file.
Like other components in the IdP credentials are defined with a generic element, Credential, that contains a type identifying attribute. Each Credential must define an id attribute, which is used in relying party configurations to refer to the credential, and optionally a usage attribute, which restricts the usage of the credential, with a value of Encryption or Signing. A Credential without a usage attribute may be used for either signing (XML digital signatures, SAML simple sign profiles, and TLS connections) or XML encryption.
The following credentials types are currently supported.
This credential type allows X.509 credential components to be defined within the various configuration elements themselves in various formats: PEM, DER, PKCS 8 & 12.
Credentials of this type are defined with a Credential element with the attribute xsi:type="X509Inline". The Credential element may then have some of the following child elements:
KeyName elements are allowed.PrivateKey element is allowed. The PrivateKey element may include a password attribute with the decryption password for the key.Certificate element may contain more than one encoded certificate and more than one Certificate element may be used. A Certificate element may contain the entityCertificate boolean attribute to indicate that the given certificate is the entity certificate for this credential.CRL elements are allowed.
<!-- MetadataProvider element above this point -->
<Credential xsi:type="X509Inline" xmlns="urn:mace:shibboleth:2.0:security"
id="MyCredential">
<KeyName>key.example.org</KeyName>
<PrivateKey password="myKeyPa$$word">
<!-- Some DER, PEM, or PKCS 8 encoded key -->
</PrivateKey>
<Certificate>
<!-- Some DER or PEM encoded cert -->
</Certificate>
</Credential>
|
This credential type allows X.509 credential components, in various formats (PEM, DER, PKCS 8 & 12), to be read from files on the filesystem.
Credentials of this type are defined with a Credential element with the attribute xsi:type="X509Filesystem". The Credential element may then have the some of the following child elements:
KeyName elements are allowed.PrivateKey element is allowed. The PrivateKey element may include a password attribute with the decryption password for the key.Certificate element may contain more than one encoded certificate and more than one Certificate element may be used. A Certificate element may contain the entityCertificate boolean attribute to indicate that the given certificate is the entity certificate for this credential.CRL elements are allowed.
<!-- MetadataProvider element above this point -->
<Credential xsi:type="X509Filesystem" xmlns="urn:mace:shibboleth:2.0:security"
id="MyCredential">
<KeyName>key.example.org</KeyName>
<PrivateKey password="myKeyPa$$word">/path/to/my/private.key</PrivateKey>
<Certificate>/path/to/my/public.crt</Certificate>
</Credential>
|