FileCredentialResolver
- 1 Overview
- 2 Reference
- 2.1 Attributes
- 2.2 Child Elements
- 3 Examples
Overview
Indicated by type="File", loads keys and certificates stored in local or remote files using common formats. PEM, DER, and PKCS#12 are supported.
Obviously for security reasons, local files are generally used to store credentials, but it is possible to load them remotely, particularly in the case of a CRL (certificate revocation list).
Reference
Attributes
Name | Type | Default | Description |
|---|---|---|---|
type | string |
| Required, set to "File" in the case of this plugin |
certificate | local pathname |
| Shorthand for a <Certificate> element whose |
key | local pathname |
| Shorthand for a <Key> element whose |
password | string |
| Optional password for decrypting the private key if the |
keyName | string |
| Optional "alias" for the key if the |
use | "signing", "TLS", "encryption", |
| Optional setting that limits the use of the credential to the designated purpose. Note that " |
keyInfoMask | integer bitmask | 15 | Optional bitmask controlling the content of generated KeyInfo information. By default, various combinations of the key value, name(s), X.509 certificate, and X.509 subject name are included. Certificate issuer and serial number are not, because of known bugs in non-Shibboleth software. The actual output in any given case depends on the underlying implementation. |
extractNames | boolean | true | Optional flag to disable the default extraction of "key names" based on the supplied certificate. Allows deployer to maximize control over the exact names, if any, that will be available to match against a compared key in a signature or encrypted key block. Normally left on except in specialized cases. |
Child Elements
Examples
The following two examples are equivalent:
<FileCredentialResolver type="File" key="sp.key" certificate="sp.crt"/>
<FileCredentialResolver type="File">
<Key>
<Path>sp.key</Path>
</Key>
<Certificate>
<Path>sp.crt</Path>
</Certificate>
</FileCredentialResolver>