Is SAML SP supported with HSM ?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Is SAML SP supported with HSM ?

athukral
Hi,

For SAML service provider there is an option to configure key (private key) and certificate as part of Credential Resolver in shibboleth2.xml.
For HSM (Hardware Security Module) based systems, private keys are being stored to different systems.
Does shibboleth support the key to be picked up from another HSM store? 
If yes, then what configuration change required in shibboleth2.xml for it to pick up private key/equivalent from HSM store instead of local box ? 

Regards,
Amit 

On Tue, Jul 30, 2019 at 9:30 PM <[hidden email]> wrote:
Send dev mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        https://shibboleth.net/mailman/listinfo/dev
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of dev digest..."


Today's Topics:

   1. Re: How do I use. Some documentation is available? (Alan Buxey)
   2. Re: How do I use. Some documentation is available? (Alan Buxey)
   3. RE: How do I use. Some documentation is available?
      (K, Amit (MIND))


----------------------------------------------------------------------

Message: 1
Date: Tue, 30 Jul 2019 10:10:07 +0100
From: Alan Buxey <[hidden email]>
To: Shib Dev <[hidden email]>
Subject: Re: How do I use. Some documentation is available?
Message-ID:
        <CAObj+SUHNiK-q7wjWi3CrZ74+4LJgEv==[hidden email]>
Content-Type: text/plain; charset="utf-8"

hi,

1.       Can I use Shibboleth IDP as commercial SSO provider.
yes - but consider contributing to the project

2.       Can I clone the IDP server code at local and debug, build  and
deploy my own? If yes, please hint the IDP server code repository.
https://wiki.shibboleth.net/confluence/display/DEV/Source+Code+Access

3.       Few of our customer are using Okta, so can we replace okta with
Shibboleth IDP.
probably. I dont know what you are doing with Okta or how you are using it.

4.       Is any sample SP is given to test IDP server with configuration
details?
you can run up your own local one using the SP product or use one of the
several public SAML testing points
(eg https://samltest.id/)

> 5.       How do we manage the users, their session. Is it in DB or in
> memory.
>
either (as per the docs)

alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/dev/attachments/20190730/20cda4ee/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 30 Jul 2019 10:10:48 +0100
From: Alan Buxey <[hidden email]>
To: Shib Dev <[hidden email]>
Subject: Re: How do I use. Some documentation is available?
Message-ID:
        <CAObj+SVRuL9KFR6ZOog-HYfq-jzWbpaZRu-2kKdZ=[hidden email]>
Content-Type: text/plain; charset="UTF-8"

..and these really arent dev related questions. please use the users
mailing list

alan


------------------------------

Message: 3
Date: Tue, 30 Jul 2019 09:19:47 +0000
From: "K, Amit (MIND)" <[hidden email]>
To: Shib Dev <[hidden email]>
Subject: RE: How do I use. Some documentation is available?
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="us-ascii"

Ohh... my mistake... I will keep in mind from next time.
BTW, Thanks for the support.

-----Original Message-----
From: dev [mailto:[hidden email]] On Behalf Of Alan Buxey
Sent: Tuesday, July 30, 2019 2:41 PM
To: Shib Dev <[hidden email]>
Subject: Re: How do I use. Some documentation is available?

..and these really arent dev related questions. please use the users mailing list

alan
--
To unsubscribe from this list send an email to [hidden email]

________________________________

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus/trojan/worms/malicious code transmitted by this email. www.motherson.com


------------------------------

Subject: Digest Footer

--
To unsubscribe from this list send an email to [hidden email]

------------------------------

End of dev Digest, Vol 97, Issue 9
**********************************

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Is SAML SP supported with HSM ?

Cantor, Scott E.
On 8/2/19, 5:43 AM, "dev on behalf of Amit Thukral" <[hidden email] on behalf of [hidden email]> wrote:

> Does shibboleth support the key to be picked up from another HSM store?

No. OpenSSL does but I don't think the combinations of libraries involved would "just work" trying to use the engine support in it without substantial work. And keys are not "picked up" from a store, they don't leave it. The crypto itself has to be running on the HSM. Much of Santuario would need work for this to be possible.

-- Scott


--
To unsubscribe from this list send an email to [hidden email]