Using certFingerprint in metadata?
28 views
Skip to first unread message
Emmanuel Dreyfus
Apr 12, 2015, 3:42:37 AM4/12/15
to simple...@googlegroups.com
Hello
I use mod_auth_mellon's MellonSamlResponseDump setting to dump the SAML
assertion in Apache environment. But when trying to use PHP-FPM (PHP in
a separated process), it breaks, because mod_proxy_fcgi limits
envirnoment variable size to 16k. From the code:
avail_len = 16 * 1024;
/* our limit per record, which could have been up
* to AP_FCGI_MAX_CONTENT_LEN
*/
The assertion is overflows the limit by 365 bytes. Most of the space is
taken by x509 certificates. Reading the code, it seems simpleSAMLphp can
send certFingerprint instead of X509Certificate in SAML assertion. Is
there a way to configure this, or does it require modigying the code?
If I return after $element->setSignatureKey($privateKey); in
sspmod_saml_Message::addSign() without setting the certificate, it seems
to work fine with the SP.
And generally speaking, what is the value of sending the x509
certificate? This increase message size, but for what gain?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
ma...@netbsd.org
I use mod_auth_mellon's MellonSamlResponseDump setting to dump the SAML
assertion in Apache environment. But when trying to use PHP-FPM (PHP in
a separated process), it breaks, because mod_proxy_fcgi limits
envirnoment variable size to 16k. From the code:
avail_len = 16 * 1024;
/* our limit per record, which could have been up
* to AP_FCGI_MAX_CONTENT_LEN
*/
The assertion is overflows the limit by 365 bytes. Most of the space is
taken by x509 certificates. Reading the code, it seems simpleSAMLphp can
send certFingerprint instead of X509Certificate in SAML assertion. Is
there a way to configure this, or does it require modigying the code?
If I return after $element->setSignatureKey($privateKey); in
sspmod_saml_Message::addSign() without setting the certificate, it seems
to work fine with the SP.
And generally speaking, what is the value of sending the x509
certificate? This increase message size, but for what gain?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
ma...@netbsd.org
Peter Schober
Apr 12, 2015, 10:34:53 AM4/12/15
to simple...@googlegroups.com
* Emmanuel Dreyfus <ma...@netbsd.org> [2015-04-12 09:42]:
as envvars, but exposes them via GET parameters from localhost.
> The assertion is overflows the limit by 365 bytes. Most of the space is
> taken by x509 certificates. Reading the code, it seems simpleSAMLphp can
> send certFingerprint instead of X509Certificate in SAML assertion. Is
> there a way to configure this, or does it require modigying the code?
I doubt the issuer doing that will be able to interoperate with
anything else then.
> And generally speaking, what is the value of sending the x509
> certificate? This increase message size, but for what gain?
It allows the relying party to know which of its potentially several
keys the message was encrypted with/to, or which of the issuer's
potentially several keys was used to sign the message -- not sure
which certificate you're looking at.
Not sure that's even a SAML issue, or just a consequence of using
XMLenc/XMLdsig with SAML.
-peter
> I use mod_auth_mellon's MellonSamlResponseDump setting to dump the SAML
> assertion in Apache environment. But when trying to use PHP-FPM (PHP in
> a separated process), it breaks, because mod_proxy_fcgi limits
> envirnoment variable size to 16k.
That's the reason the Shibboleth SP does not export the assertion(s)
> assertion in Apache environment. But when trying to use PHP-FPM (PHP in
> a separated process), it breaks, because mod_proxy_fcgi limits
> envirnoment variable size to 16k.
as envvars, but exposes them via GET parameters from localhost.
> The assertion is overflows the limit by 365 bytes. Most of the space is
> taken by x509 certificates. Reading the code, it seems simpleSAMLphp can
> send certFingerprint instead of X509Certificate in SAML assertion. Is
> there a way to configure this, or does it require modigying the code?
anything else then.
> And generally speaking, what is the value of sending the x509
> certificate? This increase message size, but for what gain?
keys the message was encrypted with/to, or which of the issuer's
potentially several keys was used to sign the message -- not sure
which certificate you're looking at.
Not sure that's even a SAML issue, or just a consequence of using
XMLenc/XMLdsig with SAML.
-peter
Reply all
Reply to author
Forward
0 new messages