InCommon Technical Discussions

[Scott Koranda <>]

> On 9/6/19, 1:47 PM, "Nick Roy" < on 
> behalf of > wrote:
> 
> > Please let me know if you have thoughts about what we should be doing 
> > with regards to allowing people to specify
> > separate key uses/upload multiple keys at once/etc.
> 
> I would imagine that in most cases, you want to default an IdP to have one 
> or more signing keys, and leave encryption as an after-step, so I wouldn't 
> default to dual use.
>  
> The SP is really just variable. Obviously Shibboleth generates
> separate keys now, but honestly what you really want to do depends on
> logout support, and I think if you're looking for a good default, it
> would be to encourage non-logout supporting SPs to only support
> encryption and default to that with no signing key. That prevents bad
> decisions from working without extra hassle, and people making bad
> choices don't spend extra time making things work. We don't want
> signing, so don't support it.

I don't object to sensible defaults that cover most use cases, but I
think it should be possible for an SP admin to publish both encryption
and signing certificates.

The particular use case I am thinking of are SPs that need to call out
to a SAML attribute authority (AA). It is, IMHO, easier to deploy and
operate at scale a SAML AA service when SPs authenticate by sending
signed requests rather than using client certificate authentication.
LIGO is still operating a SAML AA service in production in this mode.
As new Shibboleth SPs are spun up with unique signing and encryption
keys it will be helpful if the admins can publish both without having to
make a special request.

Thanks,

Scott K