Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-570

Installer doesn't honor input entityID in creating URI subject alt names in self-signed credential certs

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0
    • Fix Version/s: 3.1.0
    • Component/s: Installer
    • Labels:
      None

      Description

      When installing I specified non-default hostname and entityID:

      ...snip...
      
      Hostname: [lnx1-test.uis.georgetown.edu]
      idp.test.middleware.georgetown.edu
      SAML EntityID: [https://idp.test.middleware.georgetown.edu/idp/shibboleth]
      https://idp3.test.middleware.georgetown.edu/idp/shibboleth
      
      ...snip...
      
      Generating Signing Key, CN = idp.test.middleware.georgetown.edu URI = https://idp.test.middleware.georgetown.edu/idp/shibboleth ...
      ...done
      Creating Encryption Key, CN = idp.test.middleware.georgetown.edu URI = https://idp.test.middleware.georgetown.edu/idp/shibboleth ...
      ...done
      Creating TLS keystore, CN = idp.test.middleware.georgetown.edu URI = https://idp.test.middleware.georgetown.edu/idp/shibboleth ...
      ...done
      
      

      Confirmed the output above is correct: the resulting self-signed certs (credentials/idp-signing.crt, credentials/idp-encryption.crt and credentials/idp-backchannel.crt) contain URI subject alt names which do not correspond to the entityID I entered. Output of 'openssl x509':

      X509v3 Subject Alternative Name: 
        DNS:idp.test.middleware.georgetown.edu,
        URI:https://idp.test.middleware.georgetown.edu/idp/shibboleth
      

      I presume the .p12 bundle is similarly affected, but didn't check that specifically.

      The entered entityID does make it successfully into conf/idp.properties, so I suspect it's just an issue with the cert generation.

        Attachments

          Activity

            People

            Assignee:
            rdw@iay.org.uk Rod Widdowson
            Reporter:
            putmanb@shibboleth.net Brent Putman
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 30 minutes
                30m