Shibboleth Developers

["Scott Cantor" <>]

> The situation is a 1.3 IdP talking to a 1.2.1 SP.  The metadata is in 
> the PKI style and contains a root CA only; from this comes a chain of 
> intermediates before you get to the real certificates; the metadata 
> doesn't include those.  I am reasonably sure that the SP is pushing the 
> intermediates to the IdP: I have logging turned up to the max, and I can 
> see plausible things going by in the Apache logs implying that it sees a 
> full certificate chain.  Apache verifies the chain (this isn't 
> conclusive, it may have access to some of the intermediate 
> certificates).

Apache shouldn't be doing anything now. Just set optional_no_ca and apart
from some annoying path length checks, it doesn't do anything, just passes
what it got.

> The problem is that the IdP's internal verification of the same chain 
> fails.  Adding some logging to the IdP indicates that it sees only the 
> end client certificate, not the rest of the chain.  The intermediate 
> certificates don't seem to be passed through to tomcat, in 
> other words.

That would surprise me and suck. Sort of. Relying on the CA stuff for
anything harder than one level of issuance is probably asking for pain.

> Is anyone working with a combination like this (1.3 IdP, CA hierarchy, 
> IdP knows about root only, SP pushes intermediates) and can report 
> success?  Or have any ideas as to what to blame?

I thought I tested this, but I'm probably out of 1.2 SPs to test. Maybe we
could have you test against Example State since bossie is a chain?

I can take bossie's intermediate out of the metadata there and we could try
it. If your SP doesn't send both or I don't get both, it won't validate....

-- Scott