X.509 Certificates in Federation Metadata

This article discusses the use of X.509 certificates in Federation metadata. It has security implications so please read it carefully.

A SAML entity uses public key cryptography to secure the data transmitted to trusted partners. Public keys are published in the form of X.509 certificates in metadata whereas the corresponding private keys are held securely by the entity. These keys are used for message-level signing and encryption, and to create secure back channels for transporting SAML messages over SSL/TLS. They are not used for browser-facing SSL/TLS transactions on port 443. See the Key Usage topic for more information.

The InCommon Federation employs the Explicit Key Trust Model, one of several possible metadata trust models. Consequently, the use of long-lived, self-signed certificates in metadata is strongly recommended. Certificates signed by a Certification Authority (CA) are allowed, and in most situations will work just fine, but the use of certificates other than self-signed certificates is discouraged. See the Background information and the Interoperability notes below for further discussion. The Key Handling topic shows how to create self-signed certificates and how to handle the corresponding private keys.

All federation participants are being transitioned to *long-lived, self-signed certificates with 2048-bit keys* by the end of 2012. *The end is near.* See \[3\] for more detail.

Any certificates you want to use with your SAML software are uploaded via the administrative interface. Typically only one certificate is required but multiple certificates may be uploaded and used as needed. For instance, multiple certificates may be used to facilitate the controlled rollover of expired certificates. For recommended guidelines on the rollover process, refer to the Certificate Migration topic.

Contents

Background

In the base SAML metadata specification \[1\], a certificate signing authority (CA) has no assumed relevance to the trust model that secures the interactions among a federation's participants. In fact, certificates signed by a CA are discouraged since they can create interoperability issues in certain situations and lead to configurations that mistakenly establish trust based on the certificate signer. Allowing self-signed certificates simplifies the work of participants who may be required to join multiple federations, or who support local systems that are not registered in the Federation.

InCommon conforms to the _SAML V2.0 Metadata Interoperability Profile_ \[2\] from OASIS. Participant site administrators securely transmit X.509 certificates and metadata to InCommon via the administrative web interface. InCommon signs the entire metadata file, securing the keys of its participants whether those keys are bound to self-signed certificates or certificates signed by a CA. The critical element in the certificate is the public key, which is associated with the participant's "entityID." The other elements in the certificate are irrelevant for security and trust processing. Theoretically, if all the relevant software systems could accept a public key without a certificate wrapper, InCommon would only need to include the public key of each endpoint. As it is, the certificate is a convenient container for the public key, the critical element being that the key is bound to a particular entity in the metadata.

Requirements

InCommon sets the following security and trust requirements around certificates included in Federation metadata:

• The use of long-lived, self-signed certificates in Federation metadata is strongly RECOMMENDED.
  • Certificates with lifetimes of 10 or more years are RECOMMENDED to avoid unnecessary technically-imposed deadlines on key rollover.
• Service providers MUST include an encryption key in SP metadata.
  • The encryption key is used by IdPs to encrypt SAML V2.0 assertions transmitted to the SP.
• RSA keys with a minimum size of 2048 bits MUST be used for all new certificates introduced into Federation metadata.
  • New certificates with keys less than 2048 bits are not allowed in Federation metadata.
  • All participants MUST upgrade to 2048-bit keys by December 2012.
• Participants SHOULD generate a new private key and submit a new certificate with a new 2048-bit key every 3 years.
  • This does not mean the certificate itself needs to expire in 3 years.
• Expired certificates SHOULD NOT be introduced into Federation metadata.
• A certificate in metadata that expires SHOULD be removed once a certificate migration process to a new key has been completed.
• InCommon does not validate Subject information in self-signed certificates because this information is irrelevant to the federated security context. However, at its own discretion, InCommon will reject metadata submissions if that submission contains a certificate with fields that contain egregiously misrepresented Subject information as decided by InCommon on a case by case basis. Generally, subject information should express a somewhat reasonable relationship between the certificate and your organization.

Interoperability

Consider the following interoperability issues as you set up and maintain your deployment:

• A potential federation partner (especially a partner not using the Shibboleth software) may question the use of self-signed certificates. As discussed in the Background section, there are, in fact, fewer interoperability issues with self-signed certificates compared to CA-signed certificates.

• The Shibboleth software does not check the expiration dates of certificates \[4\], but *expired certificates often cause interoperability issues* with other software (such as the OIOSAML Java SP) and with some versions of Apache used in the deployment of the Shibboleth IdP. InCommon recommends that you plan ahead and [migrate to an unexpired certificate|Certificate Migration] well ahead of your certificate's expiration date.

• For key management purposes, InCommon allows multiple certificates per role descriptor at any time. (You can log in to the administrative interface, select a particular role, and associate more than one certificate with that role for the purposes of migrating from one certificate to another.) Bear in mind, however, that some SAML implementations do not support multiple keys properly and you may want to test this capability with your non-Shibboleth partners. For example:
  • EZProxy is known to ignore additional keys beyond the first.
  • AD FS 2.0 will not consume an <md:EntityDescriptor> element containing more than one encryption key.
• At the deployer's convenience, a single certificate may be bound to multiple entities in InCommon metadata. However, some implementations (e.g., AD FS 2.0) do not allow the same certificate to be used by two distinct entities.
• If the certificate will be used for SSL/TLS server authentication, the certificate's CN (and/or subjectAltName) value should match the server's hostname. This is especially true for IdPs but may also be true in certain advanced scenarios where the SP acts as a SOAP responder.
• Avoid certificates with special certificate extensions, since some implementations will actually try to use them. For example, AD FS 2.0 will attempt to access the CRL at the location given in the CRL Distribution Point certificate extension.

References

\[1\] _Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0_ [http://saml.xml.org/saml-specifications]
\[2\] _SAML V2.0 Metadata Interoperability Profile_ [http://wiki.oasis-open.org/security/SAML2MetadataIOP]
\[3\] [X.509 Certificates in the Federation Metadata|http://internet2.na6.acrobat.com/p46467886/]: A technical webinar presented by the _InCommon Technical Advisory Committee_ (October 22, 2009)
\[4\] _The Shibboleth ExplicitKey Trust Engine_ [https://wiki.shibboleth.net/confluence/display/SHIB2/ExplicitKeyTrustEngine]