Multiple certificates for an entity
Thijs Kinkhorst
We're running an SP with SSP 1.6.3 but are running into trouble with a new IdP
that wants to connect but fails signature validation. The problem was traced
to this IdP exporting two certificates in their metadata, which I believe to
be legal. This effectively prevents the IdP to connect to us at all.
I read
http://groups.google.com/group/simplesamlphp/browse_thread/thread/26858f8a07dcb4c9?pli=1
and as far as I understand simpleSAMLphp doesn't yet support entities with
multiple certificates. Does that still hold, and is there an idea of when such
support would become available? Are there known workarounds?
thanks,
--
Thijs Kinkhorst <th...@uvt.nl> – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl
Tom Scavo
>
> We're running an SP with SSP 1.6.3 but are running into trouble with a new IdP
> that wants to connect but fails signature validation.
You mean the IdP is unable to verify the signature on the
AuthnRequest? Or something else?
> The problem was traced
> to this IdP exporting two certificates in their metadata, which I believe to
> be legal.
It is, but this sentence doesn't agree with the previous one.
> This effectively prevents the IdP to connect to us at all.
I don't know what that means since IdPs don't usually "connect" to SPs
(unless artifact or attribute query are used).
> I read
> http://groups.google.com/group/simplesamlphp/browse_thread/thread/26858f8a07dcb4c9?pli=1
That article is pretty confusing itself, so maybe you could find
another reference? Try searching for the word "rollover" in the
archives.
> and as far as I understand simpleSAMLphp doesn't yet support entities with
> multiple certificates. Does that still hold, and is there an idea of when such
> support would become available? Are there known workarounds?
SSP supports key rollover just fine if I recall. If you could be more
clear about your use case, I can try to help.
Tom
Thijs Kinkhorst
Hi, Tom,
On Tue, 11 Oct 2011 12:28:06 -0400, Tom Scavo <trs...@gmail.com> wrote:
> On Tue, Oct 11, 2011 at 11:00 AM, Thijs Kinkhorst <th...@uvt.nl> wrote:
>>
>> We're running an SP with SSP 1.6.3 but are running into trouble with a
>> new IdP
>> that wants to connect but fails signature validation.
>
> You mean the IdP is unable to verify the signature on the
> AuthnRequest? Or something else?
Thanks for your response.
>> This effectively prevents the IdP to connect to us at all.
>
> I don't know what that means since IdPs don't usually "connect" to SPs
> (unless artifact or attribute query are used).
With 'connect', I meant connecting in a more general sense, like work
together, not in the strict tcp/ip sense. :-)
Perhaps I was a bit too brief and will try to elaborate on what it is
we're seeing.
We have the following situation: we run an SP using simpleSAMLphp 1.6.3.
To this installation users log in via many different IdP's. So far so good.
A new IdP wants to start using their service and we import their metadata.
When users from that IdP want to log into our service, our simpleSAMLphp
reports:
Unable to validate Signature
0: /usr/share/simplesamlphp/lib/SAML2/Utils.php:104
(SAML2_Utils::validateSignature)
1: /usr/share/simplesamlphp/lib/SAML2/Assertion.php:507
(SAML2_Assertion::validate)
2: /usr/share/simplesamlphp/modules/saml2/lib/Message.php:190
(sspmod_saml2_Message::checkSign)
3: /usr/share/simplesamlphp/modules/saml2/lib/Message.php:708
(sspmod_saml2_Message::processResponse)
4: /usr/share/simplesamlphp/modules/saml/www/sp/saml2-acs.php:50
(require)
5: /usr/share/simplesamlphp/www/module.php:135 (N/A)
with no more details in syslog.
We traced it down to the following. The new IdP has in their published
metadata two X.509 certificates. As it seems, and my reading of the code
does support that a bit, simpleSAMLphp parses this metadata and stores only
the first certificate. Hence it can't validate the signature and the error
message above ensues. When the IdP changed their metadata to only one
certificate, logging in indeed worked again.
This is how I understand the situation we're trying to deal with, but
perhaps I'm completely off and I'd like to learn what could be the problem
instead. Thanks in advance for any advice.
--
Thijs Kinkhorst <th...@uvt.nl> – LIS Unix
Universiteit van Tilburg – Library and IT Services
Tom Scavo
On Tue, Oct 11, 2011 at 3:45 PM, Thijs Kinkhorst <th...@uvt.nl> wrote:
>
> Perhaps I was a bit too brief and will try to elaborate on what it is
> we're seeing.
Thanks for the followup. That helps.
> We have the following situation: we run an SP using simpleSAMLphp 1.6.3.
> To this installation users log in via many different IdP's. So far so good.
> A new IdP wants to start using their service and we import their metadata.
> When users from that IdP want to log into our service, our simpleSAMLphp
> reports:
>
> Unable to validate Signature...
>
> We traced it down to the following. The new IdP has in their published
> metadata two X.509 certificates. As it seems, and my reading of the code
> does support that a bit, simpleSAMLphp parses this metadata and stores only
> the first certificate.
Well then, that's a SSP bug.
> This is how I understand the situation we're trying to deal with, but
> perhaps I'm completely off and I'd like to learn what could be the problem
> instead.
I don't think you're doing anything wrong. If the SP software won't
process two certificates in IdP metadata, that's a bug. Have you
created an issue for this?
Tom
Olav Morken
> Hi all,
>
Support for extracting multiple certificates from SAML 2.0 metadata
was added in version 1.7.0.
Regards,
Olav Morken
UNINETT / Feide
Thijs Kinkhorst
On Wed, 12 Oct 2011 09:34:36 +0200, Olav Morken <olav....@uninett.no>
wrote:
> On Tue, Oct 11, 2011 at 17:00:50 +0200, Thijs Kinkhorst wrote:
>> Hi all,
>>
>> We're running an SP with SSP 1.6.3 [...]
>
> Support for extracting multiple certificates from SAML 2.0 metadata
> was added in version 1.7.0.
Thanks - I guess we'll need to be planning an upgrade then.
--
Thijs Kinkhorst <th...@uvt.nl> – LIS Unix
Universiteit van Tilburg – Library and IT Services