diff options
author | Scott Koranda <skoranda@gmail.com> | 2017-12-24 14:07:37 -0600 |
---|---|---|
committer | Scott Koranda <skoranda@gmail.com> | 2018-12-05 05:21:51 -0600 |
commit | b6bf0fae4c735f2f0602b5fda2daeb0c30fa5683 (patch) | |
tree | 3c81f0541d06ea0cade667b1a0afc9366af00be1 /docs/howto | |
parent | 65b136e2c822d3b0e08e0b3c1dc121b6c7de646c (diff) | |
download | pysaml2-b6bf0fae4c735f2f0602b5fda2daeb0c30fa5683.tar.gz |
Enable signature verification for MDQ
Add functionality to allow configuration of signature verification for
metadata obtained using the MDQ protocol. Support is limited to checking
the signature of a response containing a single entity and not multiple
entities.
Diffstat (limited to 'docs/howto')
-rw-r--r-- | docs/howto/config.rst | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/docs/howto/config.rst b/docs/howto/config.rst index 274da303..de58ce99 100644 --- a/docs/howto/config.rst +++ b/docs/howto/config.rst @@ -183,8 +183,13 @@ the client key in an HTTPS session. metadata ^^^^^^^^ -Contains a list of places where metadata can be found. This can be either -a file accessible on the server the service runs on, or somewhere on the net.:: +Contains a list of places where metadata can be found. This can be + +* a local file accessible on the server the service runs on +* a remote URL serving aggregate metadata +* a metadata query protocol (MDQ) service URL + +For example:: "metadata" : { "local": [ @@ -195,13 +200,19 @@ a file accessible on the server the service runs on, or somewhere on the net.:: "url":"https://kalmar2.org/simplesaml/module.php/aggregator/?id=kalmarcentral2&set=saml2", "cert":"kalmar2.cert" }], + "mdq": [ + { + "url":"http://mdq.ukfederation.org.uk/", + "cert":"ukfederation-mdq.pem" + }], }, -The above configuration means that the service should read two local -metadata files, and on top of that load one from the net. To verify the -authenticity of the file downloaded from the net, the local copy of the -public key should be used. -This public key must be acquired by some out-of-band method. +The above configuration means that the service should read two aggregate local +metadata files, one aggregate metadata file from a remote server, and query a +remote MDQ server. To verify the authenticity of the metadata aggregate downloaded from the +remot server and the MDQ server local copies of the metadata signing certificates should be used. +These public keys must be acquired by some secure out-of-band method before being +placed on the local file system. organization ^^^^^^^^^^^^ |