The IdP uses credentials to perform various cryptographic functions (message signing, server/client authenticated TLS connections, encryption, etc.). Credentials are defined in the $IDP_HOME/config/relying-party.xml file and are defined as follows.
If you want to regenerate an IdP's credential, see IdPCertRenew.
The IdP may have any number of credentials. All credentials are defined after the MetadataProvider
element in the relying-party.xml file.
Like other components in the IdP credentials are defined with a generic element, Credential
, that contains a type identifying attribute. Each Credential
must define an id
attribute, which is used in relying party configurations to refer to the credential, and optionally a usage
attribute, which restricts the usage of the credential, with a value of Encryption or Signing. A Credential
without a usage attribute may be used for either signing (XML digital signatures, SAML simple sign profiles, and TLS connections) or XML encryption.
The following credentials types are currently supported.
This credential type allows X.509 credential components to be defined within the various configuration elements themselves in various formats: PEM, DER, PKCS 8 & 12.
Credentials of this type are defined with a Credential
element with the attribute xsi:type="X509Inline"
. The Credential
element may then have some of the following child elements:
KeyName
elements are allowed.PrivateKey
element is allowed. The PrivateKey
element may include a password
attribute with the decryption password for the key.Certificate
element may contain more than one encoded certificate and more than one Certificate
element may be used. A Certificate
element may contain the entityCertificate
boolean attribute to indicate that the given certificate is the entity certificate for this credential.CRL
elements are allowed.<!-- MetadataProvider element above this point --> <Credential xsi:type="X509Inline" xmlns="urn:mace:shibboleth:2.0:security" id="MyCredential"> <KeyName>key.example.org</KeyName> <PrivateKey password="myKeyPa$$word"> <!-- Some DER, PEM, or PKCS 8 encoded key --> </PrivateKey> <Certificate> <!-- Some DER or PEM encoded cert --> </Certificate> </Credential> |
This credential type allows X.509 credential components, in various formats (PEM, DER, PKCS 8 & 12), to be read from files on the filesystem.
Credentials of this type are defined with a Credential
element with the attribute xsi:type="X509Filesystem"
. The Credential
element may then have the some of the following child elements:
KeyName
elements are allowed.PrivateKey
element is allowed. The PrivateKey
element may include a password
attribute with the decryption password for the key.Certificate
element may contain more than one encoded certificate and more than one Certificate
element may be used. A Certificate
element may contain the entityCertificate
boolean attribute to indicate that the given certificate is the entity certificate for this credential.CRL
elements are allowed.<!-- MetadataProvider element above this point --> <Credential xsi:type="X509Filesystem" xmlns="urn:mace:shibboleth:2.0:security" id="MyCredential"> <KeyName>key.example.org</KeyName> <PrivateKey password="myKeyPa$$word">/path/to/my/private.key</PrivateKey> <Certificate>/path/to/my/public.crt</Certificate> </Credential> |