How do I bypass key validation?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How do I bypass key validation?

Law, Bob

I am trying to bypass the behind the scenes key signature validation for many of the schools that will be using our SP.  I think I have the problem traced to there being a key entry in the federation metadata, but no key info.  As a result the signature validation for the soap message fails.  How do I work around this?  I don’t want to have to go into shibboleth and modify the code.

 

 Robert Law
Software Engineer
Wolters Kluwer Health Medical Research

Lippincott, Williams & Wilkins
Ovid Technologies
9350 South 150 East, Suite 200
Sandy, UT 84070-2702

801.304.3327 tel
801.819.2592 cell

[hidden email]
www.ovid.com

 

 

 

 

Confidentiality Notice: This email and its attachments (if any) contain confidential information of the sender. The information is intended only for the use by the direct addressees of the original sender of this email. If you are not an intended recipient of the original sender (or responsible for delivering the message to such person), you are hereby notified that any review, disclosure, copying, distribution or the taking of any action in reliance of the contents of and attachments to this email is strictly prohibited. If you have received this email in error, please immediately notify the sender at the address shown herein and permanently delete any copies of this email (digital or paper) in your possession.

 

Reply | Threaded
Open this post in threaded view
|

RE: How do I bypass key validation?

Cantor, Scott E.
Law, Robert wrote on 2009-06-18:
> I am trying to bypass the behind the scenes key signature validation for
> many of the schools that will be using our SP.

You can't disable it selectively. Take out the existing policy rule for XML
Signatures and add in a NullSecurity rule, and any assertion will be
accepted if it claims to be from a known IdP. It's for debugging, but it
will do what you're asking.

But you cannot just do it for "many" of them. It's either secured or not. If
you turn off security, the whole point is that anybody can claim to be
anybody.

> I think I have the problem
> traced to there being a key entry in the federation metadata, but no key
> info.

That is not a problem, that's handled by the PKIX TrustEngine. If you
disable PKIX validation, then it's quite definite that not including any key
in the metadata will fail, but you don't need to disable that TrustEngine.
Nothing we say or document would indicate to do this.

> As a result the signature validation for the soap message fails.  How
> do I work around this?  I don't want to have to go into shibboleth and
> modify the code.

The response to this, assuming you have both TrustEngines enabled, would be
to report the problem to the federation or to the IdPs involved.

I more or less said the same things yesterday. Since I'm apparently not able
to explain this adequately, hopefully Nate or someone more able will help
out.

-- Scott