Hi Bernard, Shibboleth server public certificate configured in IDP config is used to verify the signature of SAML responses coming from Shibboleth.
When configuring WSO2 as a SP in shibboleth, you need to give WSO2 server’s public certificate (in wso2carbon.jks). If you have enabled assertion encryption, then Shibboleth server will encrypt the SAML assertions using this WSO2 public key. WSO2 server will decrypt assertions using its private key in wso2carbon.jks. Hope this clarifies your query. On Wed, Jan 15, 2020 at 22:24, Bernard Paris <[email protected]> wrote: > Hello, > > I understood that the certificate defined into the 'Identity Provider > Public Certificate' is the *public* shibboleth certificate needed to > decrypt the incoming SAML responses. > > It was automatically set when I loaded the shibboleth metadata.xml file > under " SAML2 Web SSO Configuration" > Metadata File Configuration > > On the opposite what I need is to give (where ?) my certificate with *public > AND private *keys in order to sign/encrypt the SAML requests. > > Am I wrong ? > Bernard > > > Le 15 janv. 2020 à 17:23, Sathya Bandara <[email protected]> a écrit : > > Hi Bernard, > > You can upload the certificate into the 'Identity Provider Public > Certificate' which is available under the 'Basic Information' section of > Identity Provider configuration. > > Thanks, > > On Wed, Jan 15, 2020 at 8:19 PM Bernard Paris <[email protected]> > wrote: > >> Hi devs, >> >> We want to use Shibboleth as an identity provider for API manager V.3. >> In the carbon console, via the IdP list, we have added an IdP entry then >> under "Federated Authenticators section and the SAML2 Web SSO Configuration >> section" we have configured our Shibboleth as identity provider. >> >> This IdP entry will behave as an SP for shibboleth. Since we want >> Assertion Encryption and signing I understand this "SP like" needs a >> private/public key in a certificate to do so. I've made a self-signed >> certificate for this, and its public key has been be given to shibboleth in >> the metadata file (xml path: >> /EntityDescriptor/SPSSODescriptor/KeyDescriptor/KeyInfo/X509Data/X509Certificate). >> >> >> Now my question is "where am I to specify this certificate in my >> "Federated Authenticators section and the SAML2 Web SSO Configuration >> section" ?" >> >> I didn't find any field for that in the "SAML2 Web SSO Configuration >> section". >> Unless this encryption use must only use the APIM server certificate in >> wso2carbon.jks ? >> >> Hope my understand is correct, . >> Thanks for any help. >> >> Regards, >> Bernard >> >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwso2.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fdev&data=02%7C01%7Cbernard.paris%40uclouvain.be%7C1269b762893b41161cbb08d799d74ed5%7C7ab090d4fa2e4ecfbc7c4127b4d582ec%7C0%7C0%7C637147022330234415&sdata=Vxo0b7jIAoXGvgYiv1O1%2BGJuNa1IYHPxG5aihMPy9fM%3D&reserved=0> >> > > > -- > Sathya Bandara > Senior Software Engineer > Blog: https://medium.com/@technospace > <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmedium.com%2F%40technospace&data=02%7C01%7Cbernard.paris%40uclouvain.be%7C1269b762893b41161cbb08d799d74ed5%7C7ab090d4fa2e4ecfbc7c4127b4d582ec%7C0%7C0%7C637147022330244406&sdata=wHLUBQrufWOEGP1iHmj2Yom%2FyeKKS6BxnE2FXtzsv8I%3D&reserved=0> > WSO2 Inc. http://wso2.com > <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwso2.com&data=02%7C01%7Cbernard.paris%40uclouvain.be%7C1269b762893b41161cbb08d799d74ed5%7C7ab090d4fa2e4ecfbc7c4127b4d582ec%7C0%7C0%7C637147022330244406&sdata=dP2aJ1PCQgi%2F4ZvPoXQ4QKDws8UhfItgodQEzy%2BfD38%3D&reserved=0> > Mobile: (+94) 715 360 421 > > <+94%2071%20411%205032> > > > -- Sathya Bandara Senior Software Engineer Blog: https://medium.com/@technospace WSO2 Inc. http://wso2.com Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
