SAML plugin - differentiate between encryption and signing certificate

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SAML plugin - differentiate between encryption and signing certificate

de_wel@hotmail.com
Hi , 

When setting up the Jenkins SAML plugin, is it possible to configure two different certificates (generated from the same private key) for signing and encryption? 
The plugin seems to allow to configure just one key alias from one keystore. (https://github.com/jenkinsci/saml-plugin/blob/master/doc/CONFIGURE.md)
I'ml looking to configure 
alias 1 = private key A + signing certificate chain C1
alias 2 = private key A+ encryption certificate chain C2

When enabling option 'Auth Request Signature' to  enable the signature of the Redirect Binding Auth Request, I can see two key descriptors being written to the saml-sp-metadata.xml file: 

<md:KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>...

and 

 <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>...

This leads me to believe that a setup with different sign and encryption certs is a possibility.
I've tried to configure the correct values for my setup directly in the saml-sp-metadata.xml file, but the file gets overwritten on each login attempt. 

Does the current implementation of the saml plugin dictate the encryption and signing cert to be the same and if not, how do I configure these? 

Kind regards, 
Chris

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/3568ffcd-e1d7-43d8-9a42-69d4d4359a5co%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: SAML plugin - differentiate between encryption and signing certificate

Ivan Fernandez Calvo
Hi,

The configuration only allows one certificate, this is used for singing and encryption, so it is not possible to use two different certificates.

El lunes, 27 de julio de 2020, 21:54:03 (UTC+2), Chris DW escribió:
Hi , 

When setting up the Jenkins SAML plugin, is it possible to configure two different certificates (generated from the same private key) for signing and encryption? 
The plugin seems to allow to configure just one key alias from one keystore. (<a href="https://github.com/jenkinsci/saml-plugin/blob/master/doc/CONFIGURE.md" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fsaml-plugin%2Fblob%2Fmaster%2Fdoc%2FCONFIGURE.md\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGTqrOBSu1pU3rGbjm8CDbmrefkKw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fsaml-plugin%2Fblob%2Fmaster%2Fdoc%2FCONFIGURE.md\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGTqrOBSu1pU3rGbjm8CDbmrefkKw&#39;;return true;">https://github.com/jenkinsci/saml-plugin/blob/master/doc/CONFIGURE.md)
I'ml looking to configure 
alias 1 = private key A + signing certificate chain C1
alias 2 = private key A+ encryption certificate chain C2

When enabling option 'Auth Request Signature' to  enable the signature of the Redirect Binding Auth Request, I can see two key descriptors being written to the saml-sp-metadata.xml file: 

<md:KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="<a href="http://www.w3.org/2000/09/xmldsig#" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEmCh3s9aavT2Gx26XHNbvW9xoIeA&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEmCh3s9aavT2Gx26XHNbvW9xoIeA&#39;;return true;">http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>...

and 

 <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="<a href="http://www.w3.org/2000/09/xmldsig#" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEmCh3s9aavT2Gx26XHNbvW9xoIeA&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEmCh3s9aavT2Gx26XHNbvW9xoIeA&#39;;return true;">http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>...

This leads me to believe that a setup with different sign and encryption certs is a possibility.
I've tried to configure the correct values for my setup directly in the saml-sp-metadata.xml file, but the file gets overwritten on each login attempt. 

Does the current implementation of the saml plugin dictate the encryption and signing cert to be the same and if not, how do I configure these? 

Kind regards, 
Chris

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b189b9e7-5429-4fa1-9f6d-a72564f8a352o%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: SAML plugin - differentiate between encryption and signing certificate

de_wel@hotmail.com
Hi , 

Having a signing certificate different from the encryption certificate was a request from my IDP. 
So I created both seperately.(from the same private key) .

I was a bit confused as to the role of the saml-sp-metadata.xml being generated by the saml plugin.
The way I understand it now, is that is serves the purpose of helping the user to generate SP metadata from the Jenkins UI in order to forward the meta data to the IDP. 
It is not being used by the plugin 'at runtime'. 

Since I had already sent my SP meta-data prior to installing and configuring the SAML plugin, I wasn't required to do anything with the generated  saml-sp-metadata.xml  file. 
All I needed to do was set up a keystore with the proper private key (which in my case is the same for the encryption and signing certificate) 

Thanks for your time, 

Chris


Op dinsdag 28 juli 2020 20:07:54 UTC+2 schreef Ivan Fernandez Calvo:
Hi,

The configuration only allows one certificate, this is used for singing and encryption, so it is not possible to use two different certificates.

El lunes, 27 de julio de 2020, 21:54:03 (UTC+2), Chris DW escribió:
Hi , 

When setting up the Jenkins SAML plugin, is it possible to configure two different certificates (generated from the same private key) for signing and encryption? 
The plugin seems to allow to configure just one key alias from one keystore. (<a href="https://github.com/jenkinsci/saml-plugin/blob/master/doc/CONFIGURE.md" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fsaml-plugin%2Fblob%2Fmaster%2Fdoc%2FCONFIGURE.md\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGTqrOBSu1pU3rGbjm8CDbmrefkKw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fsaml-plugin%2Fblob%2Fmaster%2Fdoc%2FCONFIGURE.md\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGTqrOBSu1pU3rGbjm8CDbmrefkKw&#39;;return true;">https://github.com/jenkinsci/saml-plugin/blob/master/doc/CONFIGURE.md)
I'ml looking to configure 
alias 1 = private key A + signing certificate chain C1
alias 2 = private key A+ encryption certificate chain C2

When enabling option 'Auth Request Signature' to  enable the signature of the Redirect Binding Auth Request, I can see two key descriptors being written to the saml-sp-metadata.xml file: 

<md:KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="<a href="http://www.w3.org/2000/09/xmldsig#" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEmCh3s9aavT2Gx26XHNbvW9xoIeA&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEmCh3s9aavT2Gx26XHNbvW9xoIeA&#39;;return true;">http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>...

and 

 <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="<a href="http://www.w3.org/2000/09/xmldsig#" rel="nofollow" target="_blank" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEmCh3s9aavT2Gx26XHNbvW9xoIeA&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEmCh3s9aavT2Gx26XHNbvW9xoIeA&#39;;return true;">http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>...

This leads me to believe that a setup with different sign and encryption certs is a possibility.
I've tried to configure the correct values for my setup directly in the saml-sp-metadata.xml file, but the file gets overwritten on each login attempt. 

Does the current implementation of the saml plugin dictate the encryption and signing cert to be the same and if not, how do I configure these? 

Kind regards, 
Chris

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/cd77a6d8-9db8-44d0-bac9-0bdf7a0d5952o%40googlegroups.com.