How to use the KeyInfo->KeyName instead of KeyInfo->X509Data?
Jason Holland
myself facing one more hurdle to jump in order integrate an SP with
limited SAML support.
The SP's documentation says that I need to provide a KeyName instead of
explicit X509 data in the IdP's responses. What they instruct is to copy
and paste the cert data into their application and then give it a name,
then I am supposed to use that same name in the KeyInfo->KeyName field.
I Googled and searched the Shibboleth docs on using the KeyName but I
don't know what is the correct documentation to follow, could someone
point me in the right direction on how to do this by providing a link to
the correct documentation?
Here is the edited version of the SP's example SAML response showing the
KeyInfo->KeyName setup:
<samlp:Response ...>
...
<saml:Assertion ...>
...
<ds:Signature ...>
...
<ds:KeyInfo>
<ds:KeyName>samlkey</ds:KeyName>
</ds:KeyName>
</ds:Signature>
...
</saml:Assertion>
</samlp:Response>
Thanks,
Jason
--
To unsubscribe from this list send an email to users-un...@shibboleth.net
Cantor, Scott
>
>The SP's documentation says that I need to provide a KeyName instead of
>explicit X509 data in the IdP's responses. What they instruct is to copy
>and paste the cert data into their application and then give it a name,
>then I am supposed to use that same name in the KeyInfo->KeyName field.
If you mean in the assertion:
a) you have no control over that to my knowledge
b) the SP is basically broken; KeyInfo is a hint only and it isn't
required in general to contain anything specific, particularly in a
signature
If you mean in metadata, that's a different story, but I doubt that's what
you mean. An SP that's that broken isn't likely to even use metadata.
>Here is the edited version of the SP's example SAML response showing the
>KeyInfo->KeyName setup:
If the IdP doesn't already inject a KeyName into its signatures, nothing
you do short of hacking code will fix it I suspect.
-- Scott