Versions Compared

Old Version 60

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 61

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • A potential federation partner (especially a partner not using the Shibboleth software) may question the use of self-signed certificates. As discussed in the Background section, there are, in fact, fewer interoperability issues with self-signed certificates compared to CA-signed certificates.
  • Wiki Markup
    The Shibboleth software does not check the expiration dates of certificates \[4\], but *expired certificates often cause interoperability issues* with other software and with some versions of Apache used in the deployment of the Shibboleth IdP. InCommon recommends that you plan ahead and migrate to an unexpired certificate well ahead of your certificate's expiration date.
  • For key management purposes, InCommon allows multiple certificates per endpoint at any time. (You can log in to the site administration tool, select a particular endpoint, and associate more than one certificate with that endpoint for the purposes of migrating from one certificate to another.) Bear in mind, however, that some SAML implementations do not support multiple keys properly and you may want to test this capability with non-Shibboleth partners. For example, EZProxy supports metadata, but is known to ignore additional keys beyond the first.
  • If the certificate will be used for TLS/SSL server authentication (e.g., an IdP's SOAP endpoint), the certificate's CN (and/or subjectAltName) value should match the server's hostname. This will maximize the chances that your implementation will work. This TLS/SSL configuration is left to your discretion and responsibility. InCommon highlights this point as one that may likely cause problems if not met. Note: is especially true for IdPs but may also be true in certain advanced scenarios where the SP acts as a SOAP responder.
Tip
titleRecognizing a TLS/SSL Key

Any <md:KeyDescriptor> element in metadata that has either a use="signing" attribute or

...

no use attribute whatsoever is accepted for use with TLS/SSL.

Obtaining a Self-signed Certificate

...

The self-signed certificate generated during the installation of the Shibboleth IdP MAY may be suitable , but this depends on your need for a TLS/SSL certificate and whether if the hostname it deduces matches the one you expect to publish in your metadata. This will often not be the case, so use caution.

...