-
Notifications
You must be signed in to change notification settings - Fork 7
SecurityConfiguration
Here is only a small set of new features to topic what is documented on Shibboleth IdP 3 SecurityConfiguration.
File(s): conf/credentials-oidc.xml, conf/oidc-relying-party.xml, conf/idp-oidc.properties
The default configuration uses separate (from saml2) credential configuration for oidc flows. There are three properties idp.signing.oidc.rs.key, idp.signing.oidc.es.key and idp.signing.oidc.rsa.enc.key in idp-oidc.properties that point to a JWK resources used for signing and decryption. The actual beans (BasicJWKCredentialFactoryBean) using the properties are defined in credentials-oidc.xml.
The JWK credential may be used for signing saml2 responses and other way around, standard shibboleth signing/encryption credentials may applied in oidc security configuration. When using any type of credential, the combination of signing credentials and signature algorithms should match each other.
Let's assume you need to use ES512 signing algorithm for rp "needy".
First you need to generate the P-521 key and then define a new credential for it in credentials-oidc.xml
<bean id="shibboleth.oidc.SpecialSigningCredential"
class="org.geant.idpextension.oidc.profile.spring.factory.BasicJWKCredentialFactoryBean"
p:jWKResource="/opt/shibboleth-idp/credentials/my-idp-signing-ec521.jwk" />
Second step is creating a new security configuration and then applying that for the client in oidc-relying-party.xml.
<bean id="SpecialSecurityConfig" parent="shibboleth.oidc.DefaultSecurityConfiguration">
<property name="signatureSigningConfiguration">
<bean parent="shibboleth.BasicSignatureSigningConfiguration" p:signingCredentials-ref="shibboleth.oidc.SpecialSigningCredential" >
<property name="signatureAlgorithms">
<list>
<util:constant
static-field="org.geant.idpextension.oidc.crypto.support.SignatureConstants.ALGO_ID_SIGNATURE_ES_512" />
</list>
</property>
</bean>
</property>
</bean>
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://needy.rp.example.org">
<property name="profileConfigurations">
<list>
<bean parent="OIDC.SSO" p:securityConfiguration-ref="SpecialSecurityConfig" />
</list>
</property>
</bean>
As a result only EC521 key and ES512 algorithm may be used for rp "needy".
- shibboleth.oidc.DefaultSecurityConfiguration, default security configuration for oidc sso.
- shibboleth.oidc.SigningConfiguration, default signing configuration for oidc sso.
- shibboleth.oidc.EncryptionConfiguration, default encryption configuration for oidc sso.
- shibboleth.oidc.requestObjectSignatureValidationConfiguration, default request object signature validation configuration for oidc sso.
- shibboleth.oidc.requestObjectDecryptionConfiguration, default request object decryption configuration for oidc sso.
- shibboleth.oidc.SigningCredentials, list of signing credentials for shibboleth.oidc.SigningConfiguration.
- shibboleth.oidc.EncryptionCredentials, list of decryption credentials for shibboleth.oidc.requestObjectDecryptionConfiguration.
Properties defined in idp.properties directly related to this configuration area follow:
- idp.signing.oidc.rs.key, Resource containing RSA JWK for signing, typically a file in the credentials directory
- idp.signing.oidc.es.key, Resource containing EC JWK for signing, typically a file in the credentials directory
- idp.signing.oidc.rsa.enc.key, Resource containing RSA JWK for decryption, typically a file in the credentials directory