[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: RE: [Shib-Users] Shibboleth SP signature check
From: "Scott Cantor" <cantor.2 () osu ! edu>
Date: 2010-09-29 17:03:57
Message-ID: 01b301cb5ff8$4df2d880$e9d88980$ () osu ! edu
[Download RAW message or body]
> I just have a simple question concerning Shibboleth SP configuration :
when
> receiveing signed SAML response from a known IdP, is it possible for
> Shibboleth SP to test several X.509 public key to check signature (message
> would be "trusted" if signature is successfully checked using one of the
> several IdP public key) ?
That's how the ExplicitKey trust engine works.
https://spaces.internet2.edu/display/SHIB2/NativeSPTrustEngine#NativeSPTrust
Engine-ExplicitKeyTrustEngine
It doesn't matter how the public key is expressed in the metadata, only that
something can turn whatever's there into a key. That part is pluggable
independently of the trust engine itself, but mostly X509Certificate or
RSAKeyValue suffice.
-- Scott
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic