SAML SP Metadata with multiple signing keys
94 views
Skip to first unread message
Matthew Gordon
Feb 28, 2022, 12:41:47 PM2/28/22
to CAS Community
We have a SAML SP (3rd Party system) that has multiple signing keys in their metadata. They rotate keys, yearly, from a Public Certificate Authority. CAS picks either the first key or the one with the furthest expiration date, I don't know which, but I do know it's picking the wrong certificate. Is there a way to influence this behavior, so I can use their hosted, on the internet, metadata, rather than having to copy and update locally?
Thank you in advance!
Thank you,
Matt
Ray Bon
Feb 28, 2022, 2:59:18 PM2/28/22
to cas-...@apereo.org
Matthew,
You can set SP metadataLocation to a URL, https://apereo.github.io/cas/6.4.x/services/SAML2-Service-Management.html
Ray
On Mon, 2022-02-28 at 09:41 -0800, Matthew Gordon wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.
Gordon, Matthew
Feb 28, 2022, 3:45:09 PM2/28/22
to cas-...@apereo.org
Hi Ray,
Thank you for the suggestion.
I am attempting to use that method already, but the two signing keys in there metadata presents the problem. If I configure the service definition to pull their metadata via the https URL, it works.
The problem is they sign their AuthN request and CAS is unable to verify the signature, since it picks the wrong signing key from their metadata, that was successfully obtained by CAS, via the URL.
To make it work, I have to save the metadata, and remove the invalid signing key, then use a local copy of the metadata and a "metadataLocation":"file/....", rather than the URL.
Thank you,
Matt
To unsubscribe: email unsub...@hacc.edu with sender email address and subject.
This email and any files attached from HACC, Central Pennsylvania's Community College are confidential and intended solely for use by the individual or entity to whom addressed. If you have received this email in error please notify postm...@hacc.edu This message may contain confidential information and is intended only for the individual named. If you are not the named addressee do not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Ray Bon
Feb 28, 2022, 4:22:20 PM2/28/22
to cas-...@apereo.org
Gordon,
That sounds like a bug.
Cas should try all keys until one works. This is necessary for key rollover to take place. As you mentioned, this SP does this on a yearly basis.
Hopefully one of the maintainers can comment on this.
Ray
Reply all
Reply to author
Forward
0 new messages