Shibboleth Developers

["Howard Gilbert" <>]

I want to take back some of the things I said. Upon digging into Tomcat
source, I find that Tomcat builds its own custom version of this entire
structure. In particular, it creates an SSLContext with a TrustManager array
and KeyManager array. I will look at this code more carefully and come back
with anything I find about how/whether it might be nudged to accept Client
Certificates more flexibly. However, if Tomcat is playing deeply within
JSSE, then it is not reasonable for anyone else to try to also play in the
same space. So I will look for some not very well documented options, if
any.
 
> Not sure I follow this one.  Are you suggesting the IdP not validate the
> certs against the metadata?

No, I am suggesting that they be validated by the Servlet from the Request
rather than being validated deep in the JSSE stack. I can do that from the
Client end, but do not believe it is reasonable to do from the Server end.