-
-
Notifications
You must be signed in to change notification settings - Fork 560
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Different certificates (and private keys) for SP signing and encryption #560
Comments
Right now at the toolkit you can only register
The toolkit publishes the same public cert to allow the IdP to validate Signatures generated by the SP as well as encrypt the SAML Assertions. Are you sure you are not able to import the generated SP Metadata XML on the IdP side? |
@pitbulk yes, I am absolutely sure that we need different SP certificates and private keys for singing and encryption as this is both required and then verified by the IDP. |
What software is used on the IdP side? The toolkit right now does not support registering different pairs to sign and decrypt |
I am not sure what kind of software is on the IDP side and it is not relevant as this is a new restriction placed by Slovak eGov (slovensko.sk) IDP. It will take effect in the upcoming months. In other words we can not do anything about it but obey. Here is a part of the related docs: The last (highlighted) sentence translates to "Certificate in SP SAML metadata used for encryption must be different from certificate used for signing." I have verified this with them (twice) and they will simply not register an SP metadata with the same certificates. |
I see P.S Strange that in page 20 appears a screenshot of the regsitered SP and only appears 1 certificate |
Well, the docs are always with some mistakes in this case, but there has been an online workshop addressing this and other upcoming changes, so it is absolutely legit. |
@pitbulk anyway, are you willing to accept a PR on this issue? I think we can manage to prepare one in the near future. |
It depends on how you gonna implement it and how much complexity will add to the toolkit. |
👍 I also encountered this. This is important to be able to implement key rotation on the SP side. The requirement should be:
Currently, RubySaml already supports multiple certs on the IdP side using the
I would like to propose we add
Thoughts / comments? @pitbulk |
I see the use cases different. At the SP side, we support multiple IdP's certs in order to be able to validate the Signature of the SAMLResponse. Some IdPs support multiple private_ley/certs at the same time, so the scenario of supporting multiple makes sense not only in the cert rotation scenario. The key rotation on ruby SAML was implemented in a very easy way. When there is a new private_key/public cert to be used, the public cert is added as I don't understand the requirement from the slovensko.sk IDP requiring 2 different SP certs involved on the signature validation and the encryption process, to be honest. There is no other SAML profile with this kind of requirement. See saml2int |
The fact that SAML allows different signing and encryption certs, however silly it may be in practice, still means we ought to support it. The APIs provided by this gem should be relatively unopinionated (within reason) |
Here is another reason why this should be supported. |
@pitbulk it appears governments are requiring this, even if it is silly in practice, it means the |
@pitbulk any further thoughts on this? |
@pavolzbell @jsuchal I've implemented this here: #673 I've added lots of test cases so I'm fairly confident in it. Please try it out. |
@johnnyshields : My project also needs signing/encryption certificates, when will it release? |
@ducthien1490 you can use my branch here. The merge/release is up to @pitbulk as the project maintainer. |
I plan to add this on next release. |
Hello, I am facing an IDP who requires different certificates (and private keys) for singing and encryption. Is it possible to configure my SP in such way with this gem?
The text was updated successfully, but these errors were encountered: