Skip to Content.
Sympa Menu

shibboleth-dev - Re: shib certificate problem

Subject: Shibboleth Developers

List archive

Re: shib certificate problem


Chronological Thread 
  • From: Nate Klingenstein <>
  • To:
  • Subject: Re: shib certificate problem
  • Date: Tue, 26 Aug 2003 18:55:20 +0000
John-Paul,

A URI can be either a URN(urn:blah:blahblah) or a URL(service://hostname/path). It's the broader bucket for each of those unique identifiers. A URN builds off a structured, registered namespace, and MACE has registered one, whereas a URL can be formed by anyone, leveraging the DNS system.

The sitename in Shibboleth is assigned by the federation and, to date, federations have used a namespace such as the one you quote below. Each federation is responsible for giving names to its constituent origin sites.

Hope this helps,
Nate.

On Tuesday, Aug 26, 2003, at 18:41 UTC, John-Paul Robinson wrote:

Thanks for the guidance. This got us underway and to a working shib
install! :)

We followed the second approach below and added the URI set as our origin
site name in the origin.properties. After that all we needed to do was
update the smartScope in resolver.xml to authorize access to the site.
We are now able to access our secure resource using shibboleth. :) :)

Now a naive question, could you shed some light on the URI syntax of the
site name. Is this a standard naming convention or just syntax magic?
I've always thought of URIs in the form of "service://hostname/path". Is
"urn:mace:inqueue" just a form of that?

Thanks again for all your help,

~jpr

On Tue, 26 Aug 2003, Scott Cantor wrote:

There are basically two options in the trust.xml file:

Use a KeyAuthority that matches the FQDN of the HS and stick in its actual
certificate (with its public key).

Use a KeyAuthority that matches the origin site name (that's a URI, not a
DNS name) and put in one or more CAs in a list to validate HS certs that
come from matching origins.

The sample file we include shows both approaches.

What's happening is that you're telling the SHIRE to validate the sig with a
cert directly, and probably putting a CA in there instead of the HS entity
cert.

-------------------------------------------------------mace-shib- users-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

-------------------------------------------------------mace-shib- users--


------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--


  • Re: shib certificate problem, Nate Klingenstein, 08/26/2003

Archive powered by MHonArc 2.6.16.

Top of Page