Shibboleth Developers

[Alistair Young <>]

Hi folks,

I have a Q about testshib2 I hope you could help with. Registering an  
SP with a real cert, no intermediate and with a self signed cert all  
work fine. However, if the cert is signed by a dummy CA, even although  
the full cert chain is put on the wire by the SP, it always gets  
unknown_ca back. Is this how testshib works - only accepting self  
signed or real certs?

There's nothing in the testshib log about the cert refusal and it goes  
through attribute resolving process though not sure whether that's due  
to the SSO - does it wait until an AA request before resolving  
attributes or does it do that during SSO?

Also, how best to represent the trust chain in the testshib metadata  
for a real cert with intermediates - do they all go in:
KeyDescriptor/KeyInfo/X509Data/
  X509Certificate subject
  X509Certificate intermediate
  X509Certificate root

thanks,

Alistair


--------------
mov eax,1
mov ebx,0
int 80h