Auto-Rotating Certificate from IdP #155
-
|
Is there any information on configuring mod_auth_mellon to use an auto-rotating certificate provided by the IdP? From what I can tell, mellon can use custom certs, but they need to be in a flat file and both the CRT and KEY are needed. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
OK. I've learned that I need to extract the cert from the IdP metadata. It's the In the past, I've used the combination of:
Now, since I have to use the IdP's cert, I have:
The auto created mellon metadata with these settings does not have anything for Do I need to put another directive in my apache config? How do I get mellon to complete the SAML communication when using the IdP's cert? |
Beta Was this translation helpful? Give feedback.
-
|
OK.
The MellonSPPrivateKeyFile/MellonSPCertFile pair can be anything, including a self-signed cert. This cert is not used, it's only needed as a place holder so mellon can initialize without complaining there's an error with the key file. When you do use a public cert from the IdP metadata, your application must successfully authenticate, or else lasso incorrectly throws error -201, which is saying that the IdP EntityID is bad. |
Beta Was this translation helpful? Give feedback.
OK.
The MellonIdPCAFile directive is a red herring.
If the IdP metadata has the
<ds:X509Certificate>tag, then the config can remain:MellonSPMetadataFileMellonSPPrivateKeyFileMellonSPCertFileMellonIdPMetadataFileThe MellonSPPrivateKeyFile/MellonSPCertFile pair can be anything, including a self-signed cert. This cert is not used, it's only needed as a place holder so mellon can initialize without complaining there's an error with the key file.
When you do use a public cert from the IdP metadata, your application must successfully authenticate, or else lasso incorrectly throws error -201, which is saying that the IdP EntityID is bad.
So, make sure whichever attributes your apache con…