Child pages
  • ObtainingCertificate
Skip to end of metadata
Go to start of metadata

Obtaining a digital Certificate

Shibboleth uses SSL certificates for encryption, authentication (between SP & IdP) and digital signing of assertions. Service Provider uses SSL certificates for these purposes:

SSL Server Keypair for Browser-Facing Services

This use of SSL is a browser-facing keypair, and you are free to use any keypair you wish. Often a commercial certificate is used to prevent browser warnings. Configuration of this keypair depends on your web server and you should use its documentation to help you.

SSL Client Keypair for SAML Services

SP sends SOAP requests to IdP to query attributes. Shibboleth uses SSL to authenticate both ends. SP needs a keypair trusted by the IdP to prove its identity.
It could be the same as the SSL keypair described next.

In current versions, SSL client keypairs are configured in Shibboleth.xml in the <Credentials> element. Each potential keypair is assigned an Id. The element points at the default TLS keypair to use and might contain elements that override the keypair to use for particular IdPs.

XML Signing Keypair for SAML Requests

SP has the ability to digitally sign a SAML request it sends to the IdP. To support this, a keypair trusted by IdPs would be used. It could be and usually is the same as the TLS/SSL client keypair described earlier. It is configured in a similar manner in Shibboleth.xml

This feature is not used very often because SSL can be much faster than signing due to the session caching provided by most SSL libraries. It's also not fully supported yet by the IdP for all the possible uses of client signing.

You may use the same SSL keypair for all of the needs above

Certificates for testing

You may use the free certificates issued by Testshib. For details see TestshibFederation.

Certificates for production

Commercial Certificates

You may use a commercial certificate issued from vendors like Verisign, Thawte or other well known providers. You may use these certificates for browser-facing services as well as SAML services.

Once you are ready to move into production you can follow this guide.

Federation certificates

Testshib is a "test" federation. Likewise there is InCommon Federation for production use. InCommon has a standard policy of verifying certain things before issuing certificates. If you want to join InCommon please contact InCommon Administrator for UCLA

Please note we are not accepting Self-signed certificates, Wild-card certificates and UCCs at this point

  • No labels