Skip to content

Commit 83d559b

Browse files
pitbulkpitbulk
authored
Merge pull request #615 from johnnyshields/improve-readme
One more README.md cleanup
2 parents 6b85084 + fe1eb50 commit 83d559b

File tree

1 file changed

+10
-9
lines changed

1 file changed

+10
-9
lines changed

README.md

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -316,13 +316,17 @@ of using the fingerprint method. The fingerprint, is a hash, so at the end is op
316316
attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism,
317317
we maintain it for compatibility and also to be used on test environment.
318318
319-
In some scenarios the IdP uses different certificates for signing/encryption, or is under key
320-
rollover phase and more than one certificate is published on IdP metadata.
319+
## Handling Multiple IdP Certificates
321320
322-
In order to handle that Ruby SAML offers the `idp_cert_multi` parameter.
323-
When used, `idp_cert` and `idp_cert_fingerprint` values are ignored.
321+
If the IdP metadata XML includes multiple certificates, you may specify the `idp_cert_multi`
322+
parameter. When used, the `idp_cert` and `idp_cert_fingerprint` parameters are ignored.
323+
This is useful in the following scenarios:
324324
325-
The `idp_cert_multi` must be a Hash as follows:
325+
* The IdP uses different certificates for signing versus encryption.
326+
* The IdP is undergoing a key rollover and is publishing the old and new certificates in parallel.
327+
328+
The `idp_cert_multi` must be a `Hash` as follows. The `:signing` and `:encryption` arrays below,
329+
add the IdP X.509 public certificates which were published in the IdP metadata.
326330
327331
```ruby
328332
{
@@ -331,9 +335,6 @@ The `idp_cert_multi` must be a Hash as follows:
331335
}
332336
```
333337
334-
And on `:signing` and `:encryption` arrays, add the different IdP X.509 public certificates
335-
published on the IdP metadata.
336-
337338
## Metadata Based Configuration
338339
339340
The method above requires a little extra work to manually specify attributes about both the IdP and your SP application.
@@ -558,7 +559,7 @@ You can add `ValidUntil` and `CacheDuration` to the SP Metadata XML using instea
558559
559560
## Signing and Decryption
560561
561-
Ruby SAML supports the following signing and decryption functionality:
562+
Ruby SAML supports the following functionality:
562563
563564
1. Signing your SP Metadata XML
564565
2. Signing your SP SAML messages

0 commit comments

Comments
 (0)