On 04/08/14 10:44, Ian Young wrote:
>
> On 4 Aug 2014, at 10:27, Mark Cairney <[log in to unmask]> wrote:
>
>> It mostly looks fine however it doesn't appear to have an x509 certificate embedded but instead has an "RSAKeyValue" stanza with a Modulus (173 chars) and an Exponent (4 chars).
>
> The X.509 certificate you see in UK federation metadata is simply a wrapper for an RSA public key; RSAKeyValue is an alternative (and shorter) representation of that same public key without the wrapper. So it's equivalent but my suspicion is that not all SAML implementations would actually process the public key in this form.
>
OK thanks for confirming this. You've saved me about an hours worth of
ploughing through the docs :)
>> 1. Can I trust this? I'm being mildly paranoid as they've also asked me to release "uid" to this SP.
>
> There's nothing inherently untrustworthy about this, it's just (as you point out) extremely unusual. If you're getting the metadata from a trusted source, your real concern is whether this unusual construct will be processed correctly by your SAML implementation. For that, I suggest you suck it and see.
>
Our test IdP (where we've already loaded this metadata from a file)
seems to process it fine and attributes are being released correctly.
>> 2. In it's current form would a metadata file generated in this manner be admissable to the UK Federation?
>
> No, we wouldn't accept that. Our tooling currently assumes that RSA public keys are wrapped in X.509 certificates. If metadata like that was submitted, we would ask for the RSAKeyValue to be replaced by a long-lived self-signed certificate.
OK given that at their side there's a tight deadline I'll submit the
metadata as-is manually onto our Live IdP and feed back to them what
you've said about the UK Federation requiring a certificate. The company
is Australian (or at least their Dev SP had a .au domain) so perhaps
other federations have different requirements.
>
> -- Ian @hat='UKfederation'
>
>
>
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
|