Shibboleth Developers

["Scott Cantor" <>]

> It makes sense for a lot of people to issue a single Certificate/Key to
> the IdP and use it for both the SSO and AA functions. It is somewhat
> scholastic to require that two statements in the same Reply be signed by 
> different certificates because they were issued from different roles.

We don't require that.

> Of course, one can simply put the same Certificate in two KeyInfo elements
> under the two Roles in the Metadata.

I'm afraid that's just how the schema is. I tried to get the TC to accept an
early draft that did a lot of "inheriting" of elements and then allowed
overrides, but they felt it was too complex. So KeyDescriptor is a role
item, not an entity item.

> If we agree that the algorithm runs
> Role based, I would expect that this is the way that the quickstart,
> checklist, and configuration examples would work.

Same key, you mean? Yes. Look at my example in c/configs/shibboleth.xml.in.

> The other approach works in all cases of proper use. If the algorithm were
> Entity based, then if a Role is configured with a Key and uses that Key
> its statements validate. It is just that certain "errors" don't 
> get caught, as when the SSO and AA have different keys but the SSO signs 
> both statements in an attribute push reply. My problem is that I don't see
> a benefit to catching these "errors". 

You're slightly off. With attribute push, the SSO "role" is the one being
used, not the AA. The AA is the role used for queries only.

-- Scott