On 4 Aug 2014, at 10:27, Mark Cairney <[log in to unmask]> wrote:
> It mostly looks fine however it doesn't appear to have an x509 certificate embedded but instead has an "RSAKeyValue" stanza with a Modulus (173 chars) and an Exponent (4 chars).
The X.509 certificate you see in UK federation metadata is simply a wrapper for an RSA public key; RSAKeyValue is an alternative (and shorter) representation of that same public key without the wrapper. So it's equivalent but my suspicion is that not all SAML implementations would actually process the public key in this form.
> 1. Can I trust this? I'm being mildly paranoid as they've also asked me to release "uid" to this SP.
There's nothing inherently untrustworthy about this, it's just (as you point out) extremely unusual. If you're getting the metadata from a trusted source, your real concern is whether this unusual construct will be processed correctly by your SAML implementation. For that, I suggest you suck it and see.
> 2. In it's current form would a metadata file generated in this manner be admissable to the UK Federation?
No, we wouldn't accept that. Our tooling currently assumes that RSA public keys are wrapped in X.509 certificates. If metadata like that was submitted, we would ask for the RSAKeyValue to be replaced by a long-lived self-signed certificate.
-- Ian @hat='UKfederation'