Re: SAML plugin - differentiate between encryption and signing certificate
Hi , Having a signing certificate different from the encryption certificate was a request from my IDP. So I created both seperately.(from the same private key) . I was a bit confused as to the role of the saml-sp-metadata.xml being generated by the saml plugin. The way I understand it now, is that is serves the purpose of helping the user to generate SP metadata from the Jenkins UI in order to forward the meta data to the IDP. It is not being used by the plugin 'at runtime'. Since I had already sent my SP meta-data prior to installing and configuring the SAML plugin, I wasn't required to do anything with the generated saml-sp-metadata.xml file. All I needed to do was set up a keystore with the proper private key (which in my case is the same for the encryption and signing certificate) Thanks for your time, Chris Op dinsdag 28 juli 2020 20:07:54 UTC+2 schreef Ivan Fernandez Calvo: > > Hi, > > The configuration only allows one certificate, this is used for singing > and encryption, so it is not possible to use two different certificates. > > El lunes, 27 de julio de 2020, 21:54:03 (UTC+2), Chris DW escribió: >> >> Hi , >> >> When setting up the Jenkins SAML plugin, is it possible to configure two >> different certificates (generated from the same private key) for signing >> and encryption? >> The plugin seems to allow to configure just one key alias from one >> keystore. ( >> https://github.com/jenkinsci/saml-plugin/blob/master/doc/CONFIGURE.md) >> I'ml looking to configure >> alias 1 = private key A + signing certificate chain C1 >> alias 2 = private key A+ encryption certificate chain C2 >> >> When enabling option 'Auth Request Signature' to enable the signature >> of the Redirect Binding Auth Request, I can see two key descriptors being >> written to the saml-sp-metadata.xml file: >> >> >> http://www.w3.org/2000/09/xmldsig#";> >> >> ... >> >> and >> >> >> http://www.w3.org/2000/09/xmldsig#";> >> >> ... >> >> This leads me to believe that a setup with different sign and encryption >> certs is a possibility. >> I've tried to configure the correct values for my setup directly in the >> saml-sp-metadata.xml file, but the file gets overwritten on each login >> attempt. >> >> Does the current implementation of the saml plugin dictate the encryption >> and signing cert to be the same and if not, how do I configure these? >> >> Kind regards, >> Chris >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/cd77a6d8-9db8-44d0-bac9-0bdf7a0d5952o%40googlegroups.com.
Re: SAML plugin - differentiate between encryption and signing certificate
Hi, The configuration only allows one certificate, this is used for singing and encryption, so it is not possible to use two different certificates. El lunes, 27 de julio de 2020, 21:54:03 (UTC+2), Chris DW escribió: > > Hi , > > When setting up the Jenkins SAML plugin, is it possible to configure two > different certificates (generated from the same private key) for signing > and encryption? > The plugin seems to allow to configure just one key alias from one > keystore. ( > https://github.com/jenkinsci/saml-plugin/blob/master/doc/CONFIGURE.md) > I'ml looking to configure > alias 1 = private key A + signing certificate chain C1 > alias 2 = private key A+ encryption certificate chain C2 > > When enabling option 'Auth Request Signature' to enable the signature of > the Redirect Binding Auth Request, I can see two key descriptors being > written to the saml-sp-metadata.xml file: > > > http://www.w3.org/2000/09/xmldsig#";> > > ... > > and > > > http://www.w3.org/2000/09/xmldsig#";> > > ... > > This leads me to believe that a setup with different sign and encryption > certs is a possibility. > I've tried to configure the correct values for my setup directly in the > saml-sp-metadata.xml file, but the file gets overwritten on each login > attempt. > > Does the current implementation of the saml plugin dictate the encryption > and signing cert to be the same and if not, how do I configure these? > > Kind regards, > Chris > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b189b9e7-5429-4fa1-9f6d-a72564f8a352o%40googlegroups.com.
SAML plugin - differentiate between encryption and signing certificate
Hi , When setting up the Jenkins SAML plugin, is it possible to configure two different certificates (generated from the same private key) for signing and encryption? The plugin seems to allow to configure just one key alias from one keystore. ( https://github.com/jenkinsci/saml-plugin/blob/master/doc/CONFIGURE.md) I'ml looking to configure alias 1 = private key A + signing certificate chain C1 alias 2 = private key A+ encryption certificate chain C2 When enabling option 'Auth Request Signature' to enable the signature of the Redirect Binding Auth Request, I can see two key descriptors being written to the saml-sp-metadata.xml file: http://www.w3.org/2000/09/xmldsig#";> ... and http://www.w3.org/2000/09/xmldsig#";> ... This leads me to believe that a setup with different sign and encryption certs is a possibility. I've tried to configure the correct values for my setup directly in the saml-sp-metadata.xml file, but the file gets overwritten on each login attempt. Does the current implementation of the saml plugin dictate the encryption and signing cert to be the same and if not, how do I configure these? Kind regards, Chris -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/3568ffcd-e1d7-43d8-9a42-69d4d4359a5co%40googlegroups.com.