[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    RE: [Shib-Users] Shibboleth SP signature check
From:       "Scott Cantor" <cantor.2 () osu ! edu>
Date:       2010-09-29 17:03:57
Message-ID: 01b301cb5ff8$4df2d880$e9d88980$ () osu ! edu
[Download RAW message or body]

> I just have a simple question concerning Shibboleth SP configuration :
when
> receiveing signed SAML response from a known IdP, is it possible for
> Shibboleth SP to test several X.509 public key to check signature (message
> would be "trusted" if signature is successfully checked using one of the
> several IdP public key) ?

That's how the ExplicitKey trust engine works.

https://spaces.internet2.edu/display/SHIB2/NativeSPTrustEngine#NativeSPTrust
Engine-ExplicitKeyTrustEngine

It doesn't matter how the public key is expressed in the metadata, only that
something can turn whatever's there into a key. That part is pluggable
independently of the trust engine itself, but mostly X509Certificate or
RSAKeyValue suffice.

-- Scott


[prev in list] [next in list] [prev in thread] [next in thread]