Shibboleth Developers

[Walter Hoehn <>]

 wrote:

> as far as I can tell, siteName (which has the URI value described 
> above), only appears in the assertion posted by the HS as the  value 
> of the NameQualifier attribute of the NameIdentifier element.
>
> I don't know how the target uses this value......

It is used first to lookup the origin site entry from the site metadata 
and then might be used to construct a cert chain from information in 
trust.xml

> In a conversation earlier this week with Walter, when I asked about 
> the SHIRE's validation algorithm, he noted that it currently includes 
> this logic:
>
>     - get issuer value from the assertion
>
>     - ensure there is an OriginSite element in the sites file whose HS 
> element has this "name"
>
>     - ensure issuer name = CN value in the end-entity cert
>
>     - get site name (URI) from the OriginSite element
>
>     - using site name, retrieve "CA bundle" from trust file
>
>     - validate the signature on the assertion


I took another look at the source.  Here is a more complete description:

Check for recipient (which comes from the saml response, originally from 
the GET parameter) and receiver (which comes from the apache module 
configuration) match
Check for expiration
Get the "Site Name" out from the name qualifier in the authentication 
statement in the response
Get the "HS Name" out of the issuer field
Lookup the Origin Metadata based on the "site name"
Make sure the "HS Name" matches one listed for the site in the metadata
Pull certs out of the trust bundles that match "HS name"
Attempt to verify signature with each of these certs
If no certs were found in the last step, find the signing cert that was 
sent in the response
Make sure that the subject in this cert matches the "HS Name"
Attempt to verify the signature based on chains constructed from the 
trust bundles, queries based on "site name"

> > On the target side, in the sites.xml file, there can be a HS name:
> >
> >    <HandleService
> >      Location="https://shib.cac.washington.edu/shibboleth/HS";
> >      Name="shib.cac.washington.edu"/>
> >
> > where again I think the only purpose of the name is in the case where 
> > you
> > want to have a key specific to that HS in trust.xml, so you need to name
> > it as a Subject.  Yes?  Is there any other reason to have an HS Name?
Yes.  Even if you construct a cert chain based on lookups from the 
siteName, a check is still made to ensure that the subject in the 
signing cert being used is appropriate for the origin.

> Its my understanding that the issuer value (HS name) is used to 
> retrieve the associated OriginSite element; the siteName is retrieved 
> from that element, and siteName is then used to retrieve the CA-bundle 
> (which might be a key specific to that HS, or might be the set of CAs 
> trusted by InCommon).

The opposite.  The siteName is used as the key to the site information.

Hope this helps,
Walter

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

   http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--