The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.
EmbeddedCertificates
- Scott Cantor
- ndk@internet2.edu
- Former user (Deleted)
Owned by Scott Cantor
Embedding Certificates in Metadata
Trust between Shibboleth providers can be achieved by embedding certificates used by the providers directly in their metadata. This has a number of advantages over a PKI-based approach, such as simpler encryption flows, easier revocation, and more flexibility for certificate issuance. Any certificate will work, and this approach can be used, but self-signed certificates are easiest to make if you don't already have one lying around.
To create a keypair and a self-signed certificate, use the following two commands. Complete all the fields as seems appropriate; the only important one is the CN field, which must be equal to the full domain name of the server, such as www.supervillain.edu .
openssl genrsa -out myprovider.key 2048 openssl req -new -x509 -nodes -sha1 -days 3650 -key myprovider.key > myprovider.crt
Cat out the new certificate file's contents. Strip out the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- strings, but leave them in the file itself. Leading and trailing whitespace breaks early Xerces, and was fixed in 2.6.1 and in 2.7. Embedded whitespace (indenting) probably requires xmlsec 1.3, which doesn't use openssl's broken base64 decoder; it's not clear what the Java parser allows. Place the resulting alphanumeric soup in XML like the following:
<KeyDescriptor> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIExzCCA6+gAwIBAgIJAM+MlFr0Sth6MA0GCSqGSIb3DQEBBQUAMIGdMR8wHQYD VQQDExZTdXBlcnZpbGxhaW46IFRoZSBSb290MQswCQYDVQQGEwJVUzERMA8GA1UE CBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4GA1UEChMXU3VwZXJ2aWxs YWluIFVuaXZlcnNpdHkxJzAlBgkqhkiG9w0BCQEWGHBlbmd1aW5Ac3VwZXJ2aWxs YWluLmVkdTAeFw0wNjA4MTcxOTU5NTNaFw0xMTA4MTYxOTU5NTNaMIGdMR8wHQYD VQQDExZTdXBlcnZpbGxhaW46IFRoZSBSb290MQswCQYDVQQGEwJVUzERMA8GA1UE CBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4GA1UEChMXU3VwZXJ2aWxs YWluIFVuaXZlcnNpdHkxJzAlBgkqhkiG9w0BCQEWGHBlbmd1aW5Ac3VwZXJ2aWxs YWluLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6uFqas4dK6 A2wTZL0viRQNJrPyFnFBDSZGib/2ijhgzed/vvmZIBM9sFpwahcuR5hvyKUe37/c /RSZXoNDi/eiNOx4qb0l9UB6bd8qvc4V1PnLE7L+ZYcmwrvTKm4x8qXMgEv1wca2 FPsreHNPdLiTUZ8v0tDTWi3Mgi7y47VTzJaTkcfmO1nL6xAtln5sLdH0PbMM3LAp T1d3nwI3VdbhqqZ+6+OKEuC8gk5iH4lfrbr6C9bYS6vzIKrotHpZ3N2aIC3NMjJD PMw/mfCuADfRNlHXgZW+0zyUkwGTMDea8qgsoAMWJGdeTIw8I1I3RhnbgLzdsNQl b/1ZXx1uJRUCAwEAAaOCAQYwggECMB0GA1UdDgQWBBQe+xSjYTrlfraJARjMxscb j36jvDCB0gYDVR0jBIHKMIHHgBQe+xSjYTrlfraJARjMxscbj36jvKGBo6SBoDCB nTEfMB0GA1UEAxMWU3VwZXJ2aWxsYWluOiBUaGUgUm9vdDELMAkGA1UEBhMCVVMx ETAPBgNVBAgTCE5ldyBZb3JrMQ8wDQYDVQQHEwZHb3RoYW0xIDAeBgNVBAoTF1N1 cGVydmlsbGFpbiBVbml2ZXJzaXR5MScwJQYJKoZIhvcNAQkBFhhwZW5ndWluQHN1 cGVydmlsbGFpbi5lZHWCCQDPjJRa9ErYejAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 DQEBBQUAA4IBAQC4SPBDGYAxfbXd8N5OvG0drM7a5hjXfcCZpiILlPSRpxp79yh7 I5vVWxBxUfolwbei7PTBVy7CE27SUbSICeqWjcDCfjNjiZk6mLS80rm/TdLrHSyM +Ujlw9MGcBGaLI+sdziDUMtTQDpeAyQTaGVbh1mx5874Hlo1VXqGYNo0RwR+iLfs x48VuO6GbWVyxtktkE2ypz1KLWiyI056YynydRvuBCBHeRqGUixPlH9CrmeSCP2S sfbiKnMOGXjIYbvbsTAMdW2iqg6IWa/fgxhvZoAXChM9bkhisJQc0qD0J5TJQwgr uEyb50RJ7DWmXctSC0b3eymZ2lSXxAWNOsNy </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor>
The complete metadata for a two-provider Evil Federation would thus resemble:
<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd" Name="https://www.supervillain.edu/evil-federation/policy.html" validUntil="2010-01-01T00:00:00Z"> <!-- This is the metadata for Evil Federation using embedded certificates. --> <!-- The Supervillain IdP --> <EntityDescriptor entityID="https://idp.example.org/shibboleth"> <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0"> <Extensions> <!-- It's authoritative for supervillain.edu. --> <shibmd:Scope>supervillain.edu</shibmd:Scope> </Extensions> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIEzTCCA7WgAwIBAgIJAPBxTwLnvO0aMA0GCSqGSIb3DQEBBQUAMIGfMQswCQYD VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4G A1UEChMXU3VwZXJ2aWxsYWluIFVuaXZlcnNpdHkxHTAbBgNVBAMTFGlkcC5zdXBl cnZpbGxhaW4uZWR1MSswKQYJKoZIhvcNAQkBFhxncmVlbmdvYmxpbkBzdXBlcnZp bGxhaW4uZWR1MB4XDTA2MDgxNzIxMDUzNVoXDTE2MDgxNDIxMDUzNVowgZ8xCzAJ BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGR290aGFtMSAw HgYDVQQKExdTdXBlcnZpbGxhaW4gVW5pdmVyc2l0eTEdMBsGA1UEAxMUaWRwLnN1 cGVydmlsbGFpbi5lZHUxKzApBgkqhkiG9w0BCQEWHGdyZWVuZ29ibGluQHN1cGVy dmlsbGFpbi5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf18VZ 75icxGtfpH50gZpDST1nNvCB2zhU3EYJtnMFCwQY/oWQhWz34+f/78ahiYfWBb+v QaaRgf2IVMM38Mrol2sqn79s9dmEJyPqOaupWZmskgR05aogt2oFYtXCvV2QGurI FvDn9Z/bIjrC+Xp7Mztu/Zx7dEFmdtkgvSBcnjVr7unGcObSxNAMOG//DEIyIXkj eMuw/EAlqJBCF33hDDuaQIaZsfJsSIG7hiB7AxaP5+q0sRaimMuw/7urbIveNC9V vNYNZa4XE8DQzTA8Gc7qqdlCnwvuYEZU5SDB/UwF6LSRqm9Z/dH7hW5j9k/Wqx8S P4XNmW83QgE0hF2DAgMBAAGjggEIMIIBBDAdBgNVHQ4EFgQUnrDyPuiCOWUqq6oQ x2vgw6DxYmcwgdQGA1UdIwSBzDCByYAUnrDyPuiCOWUqq6oQx2vgw6DxYmehgaWk gaIwgZ8xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMG R290aGFtMSAwHgYDVQQKExdTdXBlcnZpbGxhaW4gVW5pdmVyc2l0eTEdMBsGA1UE AxMUaWRwLnN1cGVydmlsbGFpbi5lZHUxKzApBgkqhkiG9w0BCQEWHGdyZWVuZ29i bGluQHN1cGVydmlsbGFpbi5lZHWCCQDwcU8C57ztGjAMBgNVHRMEBTADAQH/MA0G CSqGSIb3DQEBBQUAA4IBAQCqrOghCppgxhs4a96r+LgNeUlWc6j6/t0MJA8i3HpB B3QIvfGS/0UWUwClhx4K5clnNKmLNcps6QvwVxKE/hjzE6B9Vo4+F+0WprPjvoK5 FCYGYLfhCSDRi8GXATVQlQ6kaChOH7PgjAejrBNoRCKzq/sAP+1ZB0TaJaigbXEu QnFlpBv54Vq+HBsS5i0N9Qd5kyB2FVOfecSzQEqOeNENreoKxlj8vLqQRH0DPObf A2hidRUUxZktslTpuN+9hTpeqVWVx802QpzDNTeBEn8lf2e4eStQuY8edkh9yE/j F/xPvs1EdxIeiFvd237Ef9TV2JoxEN2+pOSTtdJ8Exk0 </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <ArtifactResolutionService index="1" Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="http://idp.example.org:8080/shibboleth-idp/Artifact"/> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.example.org/shibboleth-idp/SSO"/> </IDPSSODescriptor> <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol"> <Extensions> <!-- It's authoritative for supervillain.edu. --> <shibmd:Scope>supervillain.edu</shibmd:Scope> </Extensions> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIEzTCCA7WgAwIBAgIJAPBxTwLnvO0aMA0GCSqGSIb3DQEBBQUAMIGfMQswCQYD VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4G A1UEChMXU3VwZXJ2aWxsYWluIFVuaXZlcnNpdHkxHTAbBgNVBAMTFGlkcC5zdXBl cnZpbGxhaW4uZWR1MSswKQYJKoZIhvcNAQkBFhxncmVlbmdvYmxpbkBzdXBlcnZp bGxhaW4uZWR1MB4XDTA2MDgxNzIxMDUzNVoXDTE2MDgxNDIxMDUzNVowgZ8xCzAJ BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGR290aGFtMSAw HgYDVQQKExdTdXBlcnZpbGxhaW4gVW5pdmVyc2l0eTEdMBsGA1UEAxMUaWRwLnN1 cGVydmlsbGFpbi5lZHUxKzApBgkqhkiG9w0BCQEWHGdyZWVuZ29ibGluQHN1cGVy dmlsbGFpbi5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf18VZ 75icxGtfpH50gZpDST1nNvCB2zhU3EYJtnMFCwQY/oWQhWz34+f/78ahiYfWBb+v QaaRgf2IVMM38Mrol2sqn79s9dmEJyPqOaupWZmskgR05aogt2oFYtXCvV2QGurI FvDn9Z/bIjrC+Xp7Mztu/Zx7dEFmdtkgvSBcnjVr7unGcObSxNAMOG//DEIyIXkj eMuw/EAlqJBCF33hDDuaQIaZsfJsSIG7hiB7AxaP5+q0sRaimMuw/7urbIveNC9V vNYNZa4XE8DQzTA8Gc7qqdlCnwvuYEZU5SDB/UwF6LSRqm9Z/dH7hW5j9k/Wqx8S P4XNmW83QgE0hF2DAgMBAAGjggEIMIIBBDAdBgNVHQ4EFgQUnrDyPuiCOWUqq6oQ x2vgw6DxYmcwgdQGA1UdIwSBzDCByYAUnrDyPuiCOWUqq6oQx2vgw6DxYmehgaWk gaIwgZ8xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMG R290aGFtMSAwHgYDVQQKExdTdXBlcnZpbGxhaW4gVW5pdmVyc2l0eTEdMBsGA1UE AxMUaWRwLnN1cGVydmlsbGFpbi5lZHUxKzApBgkqhkiG9w0BCQEWHGdyZWVuZ29i bGluQHN1cGVydmlsbGFpbi5lZHWCCQDwcU8C57ztGjAMBgNVHRMEBTADAQH/MA0G CSqGSIb3DQEBBQUAA4IBAQCqrOghCppgxhs4a96r+LgNeUlWc6j6/t0MJA8i3HpB B3QIvfGS/0UWUwClhx4K5clnNKmLNcps6QvwVxKE/hjzE6B9Vo4+F+0WprPjvoK5 FCYGYLfhCSDRi8GXATVQlQ6kaChOH7PgjAejrBNoRCKzq/sAP+1ZB0TaJaigbXEu QnFlpBv54Vq+HBsS5i0N9Qd5kyB2FVOfecSzQEqOeNENreoKxlj8vLqQRH0DPObf A2hidRUUxZktslTpuN+9hTpeqVWVx802QpzDNTeBEn8lf2e4eStQuY8edkh9yE/j F/xPvs1EdxIeiFvd237Ef9TV2JoxEN2+pOSTtdJ8Exk0 </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="http://idp.example.org:8080/shibboleth-idp/AA"/> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> </AttributeAuthorityDescriptor> <!-- This is just information about the entity in human terms. --> <Organization> <OrganizationName xml:lang="en">The Exalted University of Supervillains</OrganizationName> <OrganizationDisplayName xml:lang="en">Supervillain University</OrganizationDisplayName> <OrganizationURL xml:lang="en">http://www.supervillain.edu/</OrganizationURL> </Organization> <ContactPerson contactType="technical"> <SurName>Norman Osborn</SurName> <EmailAddress>greengoblin@supervillain.edu</EmailAddress> </ContactPerson> </EntityDescriptor> <!-- The main Supervillain web server --> <EntityDescriptor entityID="https://www.supervillain.edu/shibboleth/evil-federation/sp"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol"> <KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> MIIEwTCCA6mgAwIBAgIJANXcCaTUM3BiMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4G A1UEChMXU3VwZXJ2aWxsYWluIFVuaXZlcnNpdHkxHTAbBgNVBAMTFHd3dy5zdXBl cnZpbGxhaW4uZWR1MScwJQYJKoZIhvcNAQkBFhhtYWduZXRvQHN1cGVydmlsbGFp bi5lZHUwHhcNMDYwODE3MjEwNTA2WhcNMTYwODE0MjEwNTA2WjCBmzELMAkGA1UE BhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMQ8wDQYDVQQHEwZHb3RoYW0xIDAeBgNV BAoTF1N1cGVydmlsbGFpbiBVbml2ZXJzaXR5MR0wGwYDVQQDExR3d3cuc3VwZXJ2 aWxsYWluLmVkdTEnMCUGCSqGSIb3DQEJARYYbWFnbmV0b0BzdXBlcnZpbGxhaW4u ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwvTuYbPyvUZJITK8 VdnK6RPuYjViMK8N4JW3dmCrty9gCxYihYSB8JM+q5MB0iiVL/MaAyrgvebT470T ftlUXSi2Y27EfdWlHoOwHCKJ8TE6kP44BedoYwFkOsUDBYu/TPfD5E9NB5dXFPIs XpL6+SmijGx0au2n1l+vVf78xGA5bjj+mN909GihGvDq2ruElEnbjTWEIMew3Di3 mlWRueXSXvrDZ8WdNW7XzMKx2g6PlLhXz17IBbuuzzCatbEbpjPO1hBXSrrhI+re 3Q5MdgrJoFyswHK1b26/3noDmZTCChvPz8Umjk1VeBDYzd3CtBOqw1x4+eaXAtzO b0HpxQIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFGBRXrvGwEl6CM6MEJNyGIQlzzPs MIHQBgNVHSMEgcgwgcWAFGBRXrvGwEl6CM6MEJNyGIQlzzPsoYGhpIGeMIGbMQsw CQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEg MB4GA1UEChMXU3VwZXJ2aWxsYWluIFVuaXZlcnNpdHkxHTAbBgNVBAMTFHd3dy5z dXBlcnZpbGxhaW4uZWR1MScwJQYJKoZIhvcNAQkBFhhtYWduZXRvQHN1cGVydmls bGFpbi5lZHWCCQDV3Amk1DNwYjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA A4IBAQAWbSn0Bu0pin6elv6qYdraZAzxBqzRsr9DNn0Qw/0M4bbphiSTR8Sn6WXW VlYs8WCl7dQR5njdf/RolrHpYFhYsE3/M6CMS4bOMSpP3cArf6qanzGUCvUVM17K 1c/hlHZ61FLCbLdw9UO0qoZhfc3iLQs9wq7/Vt8yqqEiK+K74Dg8W6Ex1P6wm99n w1EP5Q/nzw4HvueBFkLYt2HCly2RFgUN95KK4iq+loMs+nVu+vRZQ1xeKlePYHxB M2d1ESOWEp9vf0sWe8x9utqO3BhmSJKaf2Hq6kBT1UNoKJ7pxa7iqzjzxe5uqSEO hGhEPd2UOHQ/FJAWtqWY7y3GyEs/ </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat> <AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://www.supervillain.edu/Shibboleth.sso/SAML/POST"/> <AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://www.supervillain.edu/Shibboleth.sso/SAML/Artifact"/> </SPSSODescriptor> <!-- This is just information about the entity in human terms. --> <Organization> <OrganizationName xml:lang="en">The Exalted University of Supervillains</OrganizationName> <OrganizationDisplayName xml:lang="en">Supervillain University</OrganizationDisplayName> <OrganizationURL xml:lang="en">http://www.supervillain.edu/</OrganizationURL> </Organization> <ContactPerson contactType="technical"> <SurName>Erik Magnus Lehnsherr</SurName> <EmailAddress>magneto@supervillain.edu</EmailAddress> </ContactPerson> </EntityDescriptor> </EntitiesDescriptor>