-
Notifications
You must be signed in to change notification settings - Fork 7
SecurityConfiguration
Here is only a small set of new features to topic what is documented on Shibboleth IdP 3 SecurityConfiguration.
File(s): conf/credentials-oidc.xml, conf/oidc-relying-party.xml, conf/idp-oidc.properties
There are three properties idp.signing.oidc.rs.key, idp.signing.oidc.es.key and idp.signing.oidc.rsa.enc.key in idp-oidc.properties that point to a JWK resources used for signing and decryption. The actual beans (BasicJWKCredentialFactoryBean) using the properties are defined in credentials-oidc.xml.
The JWK credential may be used for signing saml2 responses and other way around, standard shibboleth signing/encryption credentials may applied in OIDC security configuration.
Let's assume you need to use ES512 signing algorithm for rp "needy".
First you need to generate the P-521 key and then define a new credential for it in credentials-oidc.xml
<bean id="shibboleth.oidc.SpecialSigningCredential"
class="org.geant.idpextension.oidc.profile.spring.factory.BasicJWKCredentialFactoryBean"
p:jWKResource="/opt/shibboleth-idp/credentials/my-idp-signing-ec521.jwk" />
Second step is creating a new security configuration and then applying that for the client in oidc-relying-party.xml.
<bean id="SpecialSecurityConfig" parent="shibboleth.oidc.DefaultSecurityConfiguration">
<property name="signatureSigningConfiguration">
<bean parent="shibboleth.BasicSignatureSigningConfiguration" p:signingCredentials-ref="shibboleth.oidc.SpecialSigningCredential" >
<property name="signatureAlgorithms">
<list>
<util:constant
static-field="org.geant.idpextension.oidc.crypto.support.SignatureConstants.ALGO_ID_SIGNATURE_ES_512" />
</list>
</property>
</bean>
</property>
</bean>
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://needy.rp.example.org">
<property name="profileConfigurations">
<list>
<bean parent="OIDC.SSO" p:securityConfiguration-ref="SpecialSecurityConfig" />
</list>
</property>
</bean>
As a result only EC521 key and ES512 algorithm may be used for rp "needy".
- shibboleth.oidc.DefaultSecurityConfiguration, default security configuration for oidc sso.
- shibboleth.oidc.SigningConfiguration, default signing configuration for oidc, credentials and algorithms for id token and user info response signing.
- shibboleth.oidc.EncryptionConfiguration, default encryption configuration for oidc, algorithms for id token and user info response encryption.
- shibboleth.oidc.requestObjectSignatureValidationConfiguration, default request object signature validation configuration, algorithms.
- shibboleth.oidc.requestObjectDecryptionConfiguration, default request object decryption configuration, credentials and algorithms.
- shibboleth.oidc.SigningCredentials, list of signing credentials for shibboleth.oidc.SigningConfiguration.
- shibboleth.oidc.EncryptionCredentials, list of decryption credentials for shibboleth.oidc.requestObjectDecryptionConfiguration.
Properties defined in idp.properties directly related to this configuration area follow:
- idp.signing.oidc.rs.key, Resource containing RSA JWK for signing, typically a file in the credentials directory
- idp.signing.oidc.es.key, Resource containing EC JWK for signing, typically a file in the credentials directory
- idp.signing.oidc.rsa.enc.key, Resource containing RSA JWK for decryption, typically a file in the credentials directory