...
- Currently SHA256 signing is supported:
- http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 (preferred).http://www.w3.org/2000/09/xmldsig#rsa-sha1 (Do not use, not in use since 2018-10-10).
- The SP must provide the public RSA key required for verification of the signature out of band, preferably using SAML metadata.
- The key must be provided an X.509 certificate in PEM format.
- Certificates should be self signed and valid (= not expired).
- SURFconext retrieves only the public key from the certificate. No other validation is done.
- The public modulus of the RSA key must be 2048 or 4096 bits.
- SURFconext can register two trusted certificates per SP.
...