The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

IdPCredentials

Define a New Cryptographic Credential

The IdP uses credentials to perform various cryptographic functions (message signing, server/client authenticated TLS connections, encryption, etc.). Credentials are defined in the $IDP_HOME/config/relying-party.xml file and are defined as follows.

If you want to regenerate an IdP's credential, see IdPCertRenew.

Define the Credential

The IdP may have any number of credentials. All credentials are defined after the MetadataProvider element in the relying-party.xml file.

Like other components in the IdP credentials are defined with a generic element, Credential, that contains a type identifying attribute. Each Credential must define an id attribute, which is used in relying party configurations to refer to the credential, and optionally a usage attribute, which restricts the usage of the credential, with a value of Encryption or Signing. A Credential without a usage attribute may be used for either signing (XML digital signatures, SAML simple sign profiles, and TLS connections) or XML encryption.

The following credentials types are currently supported.

Inline X.509 Credential

This credential type allows X.509 credential components to be defined within the various configuration elements themselves in various formats: PEM, DER, PKCS 8 & 12.

Credentials of this type are defined with a Credential element with the attribute xsi:type="X509Inline". The Credential element may then have some of the following child elements:

  • KeyName - A name, or reference, for this credential which may be used in place of the larger expanded form in some use cases. Multiple KeyName elements are allowed.
  • PrivateKey - The private key for the credential; only one PrivateKey element is allowed. The PrivateKey element may include a password attribute with the decryption password for the key.
  • Certificate - The public certificate, or a certificate in the trust chain, for this credential. Each Certificate element may contain more than one encoded certificate and more than one Certificate element may be used. A Certificate element may contain the entityCertificate boolean attribute to indicate that the given certificate is the entity certificate for this credential.
  • CRL - A CRL for this credential. Multiple CRL elements are allowed.
Example Inline X.509 Credential Configuration
<!-- MetadataProvider element above this point -->
<Credential xsi:type="X509Inline" xmlns="urn:mace:shibboleth:2.0:security"
                      id="MyCredential">

   <KeyName>key.example.org</KeyName>

   <PrivateKey password="myKeyPa$$word">
      <!-- Some DER, PEM, or PKCS 8 encoded key -->
   </PrivateKey>

   <Certificate>
      <!-- Some DER or PEM encoded cert -->
   </Certificate>
  
</Credential>

Filesystem X.509 Credential

This credential type allows X.509 credential components, in various formats (PEM, DER, PKCS 8 & 12), to be read from files on the filesystem.

Credentials of this type are defined with a Credential element with the attribute xsi:type="X509Filesystem". The Credential element may then have the some of the following child elements:

  • KeyName - A name, or reference, for this credential which may be used in place of the larger expanded form in some use cases. Multiple KeyName elements are allowed.
  • PrivateKey - The private key file for the credential; only one PrivateKey element is allowed. The PrivateKey element may include a password attribute with the decryption password for the key.
  • Certificate - A public certificate file, or a certificate in the trust chain, for this credential. Each Certificate element may contain more than one encoded certificate and more than one Certificate element may be used. A Certificate element may contain the entityCertificate boolean attribute to indicate that the given certificate is the entity certificate for this credential.
  • CRL - A CRL file for this credential. Multiple CRL elements are allowed.
Example Filesystem X.509 Credential Configuration
<!-- MetadataProvider element above this point -->
<Credential xsi:type="X509Filesystem" xmlns="urn:mace:shibboleth:2.0:security"
                      id="MyCredential">

   <KeyName>key.example.org</KeyName>

   <PrivateKey password="myKeyPa$$word">/path/to/my/private.key</PrivateKey>

   <Certificate>/path/to/my/public.crt</Certificate>
  
</Credential>