SWITCHaai CA Acceptance Policy

Whenever a Shibboleth entity communicates with another entity, it first verifies the partners identity by means of an X.509 server certificate.

Such a certificate gets verified against the entities' embedded certificate in the SAML2 metadata. Until August 2012, SWITCHaai and AAI Test also had a list of accepted CA certificates in their metadata that allowed validating certificates only using the subject name and the trustchain up to the accepted CA certificate. However, this became deprecated when Service Providers and Identity Providers had to embed certificates in metadata for encrypting SAML assertions. Therefore, the accepted CA certificates were removed.

Instead on accepted CA certificates, SWITCHaai today relies on embedded certificates that meet the X.509 certificate requirements.