Hi Bernard,

Shibboleth server public certificate configured in IDP config is used to
verify the signature of SAML responses coming from Shibboleth.

When configuring WSO2 as a SP in shibboleth, you need to give WSO2 server’s
public certificate (in wso2carbon.jks). If you have enabled assertion
encryption, then Shibboleth server will encrypt the SAML assertions using
this WSO2 public key. WSO2 server will decrypt assertions using its private
key in wso2carbon.jks.

Hope this clarifies your query.

On Wed, Jan 15, 2020 at 22:24, Bernard Paris <bernard.pa...@uclouvain.be>
wrote:

> Hello,
>
> I understood that the certificate defined  into the 'Identity Provider
> Public Certificate' is the *public*  shibboleth certificate needed to
> decrypt the incoming SAML responses.
>
> It was automatically set when I loaded the shibboleth metadata.xml file
> under " SAML2 Web SSO Configuration"  > Metadata File Configuration
>
> On the opposite what I need is to give (where ?)  my certificate with *public
> AND private *keys in order to sign/encrypt the SAML requests.
>
> Am I wrong ?
> Bernard
>
>
> Le 15 janv. 2020 à 17:23, Sathya Bandara <sat...@wso2.com> a écrit :
>
> Hi Bernard,
>
> You can upload the certificate into the 'Identity Provider Public
> Certificate' which is available under the 'Basic Information' section of
> Identity Provider configuration.
>
> Thanks,
>
> On Wed, Jan 15, 2020 at 8:19 PM Bernard Paris <bernard.pa...@uclouvain.be>
> wrote:
>
>> Hi devs,
>>
>> We want to use Shibboleth as an identity provider for API manager V.3.
>> In the carbon console, via the IdP list, we have added an IdP entry  then
>> under "Federated Authenticators section and the SAML2 Web SSO Configuration
>> section"  we have configured our Shibboleth as identity provider.
>>
>> This IdP entry will behave as an SP for shibboleth.  Since we want
>> Assertion Encryption and signing I understand this "SP like" needs a
>> private/public key in a certificate  to do so.  I've made a self-signed
>> certificate for this, and its public key has been be given to shibboleth in
>> the metadata file (xml path:
>> /EntityDescriptor/SPSSODescriptor/KeyDescriptor/KeyInfo/X509Data/X509Certificate).
>>
>>
>> Now my question is  "where am I to specify this certificate in my
>>  "Federated Authenticators section and the SAML2 Web SSO Configuration
>> section"  ?"
>>
>> I didn't find any field for that  in the "SAML2 Web SSO Configuration
>> section".
>> Unless this encryption use must only use the APIM server certificate in
>> wso2carbon.jks ?
>>
>> Hope my understand is correct, .
>> Thanks for any help.
>>
>> Regards,
>> Bernard
>>
>>
>>
>> _______________________________________________
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwso2.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fdev&data=02%7C01%7Cbernard.paris%40uclouvain.be%7C1269b762893b41161cbb08d799d74ed5%7C7ab090d4fa2e4ecfbc7c4127b4d582ec%7C0%7C0%7C637147022330234415&sdata=Vxo0b7jIAoXGvgYiv1O1%2BGJuNa1IYHPxG5aihMPy9fM%3D&reserved=0>
>>
>
>
> --
> Sathya Bandara
> Senior Software Engineer
> Blog: https://medium.com/@technospace
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmedium.com%2F%40technospace&data=02%7C01%7Cbernard.paris%40uclouvain.be%7C1269b762893b41161cbb08d799d74ed5%7C7ab090d4fa2e4ecfbc7c4127b4d582ec%7C0%7C0%7C637147022330244406&sdata=wHLUBQrufWOEGP1iHmj2Yom%2FyeKKS6BxnE2FXtzsv8I%3D&reserved=0>
> WSO2 Inc. http://wso2.com
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwso2.com&data=02%7C01%7Cbernard.paris%40uclouvain.be%7C1269b762893b41161cbb08d799d74ed5%7C7ab090d4fa2e4ecfbc7c4127b4d582ec%7C0%7C0%7C637147022330244406&sdata=dP2aJ1PCQgi%2F4ZvPoXQ4QKDws8UhfItgodQEzy%2BfD38%3D&reserved=0>
> Mobile: (+94) 715 360 421
>
> <+94%2071%20411%205032>
>
>
> --
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421

<+94%2071%20411%205032>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to