0

I'm writing an app that I'm trying to integrate into a Shibboleth/SAML authentication provider. I'm the SP, I believe (I'm using github.com/crewjam/saml for the SAML code). I've gotten the code to work with https://samltest.id and one other Shibboleth implementation.

A third Shibboleth implementation does not work, however. The tech support for the non-working server has given me its IdP URL, which appears to contain similar XML as the other two IdP URLs. In addition, the tech support emailed me a file containing another certificate -- not included in the XML -- and asked me whether I was using it.

At this point, I'm a little confused as to what exactly I need to implement. Do I need to somehow include this emailed certificate manually in my code? Or, should I rely on the XML to provide the right information?

I'd appreciate any advice!

Brent
  • 805
  • 9
  • 20

1 Answers1

0

The answer to this question depends on your "non-working" IdP. A SAML entity uses public key cryptography to secure the data transmitted to trusted partners. Public keys are published in the form of X.509 certificates in metadata whereas the corresponding private keys are held securely by the entity. These keys are used for message-level signing and encryption, and to create secure back channels for transporting SAML messages over TLS.

IF the IdP metadata (the XML document) is correct, it should contain the IdP's public key. Ideally you should rely on the metadata and the public key in the metadata but Things Happen(tm) and the cert in metadata might not be what you want. See this answer for a little more detail on that.

identigral
  • 3,920
  • 16
  • 31
  • Thanks for the advice. I added the certificate directly to the code, an ugly kludge, and it works finally. However, I'm hoping the IdP will updates it metadata file. – Brent Aug 16 '19 at 01:55