Date: Thu, 28 Mar 2024 15:13:31 +0000 (UTC) Message-ID: <857804108.15.1711638811361@433a1862dc83> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_14_1368293075.1711638811361" ------=_Part_14_1368293075.1711638811361 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Namespace: urn:mace:shibboleth:2.0:metadata
Schema: http://shibboleth.net/schema/idp/shibboleth-metadat=
a.xsd
The SignatureValidation
filter verifies that a metadata ins=
tance is signed correctly with a trusted key, and is the linchpin of the se=
curity of most Shibboleth deployments.
The "Sign and Expire" distribution model
In practice, a SignatureValidation
filter and a RequiredValidUntilFilter filter are often used toge=
ther to securely obtain remote metadata via HTTP. See the FileBackedHTTPMetadataProvider and DynamicHTTPMetadataProvider topics for explicit con=
figuration examples. Other distribution models are discussed in the TrustManagement topic.
There are four approaches to supplying a trust policy to the =
SignatureValidation
filter:
A pointer to a certificate file
A reference to an externally defined TrustEngine bean
An inline <PublicKey>
element
An inline <security:TrustEngine>
element
Filter order is important!
In the overall sequence of filters, a filter of type SignatureVali=
dation
must appear before any filter that alters th=
e metadata instance. Examples of the latter include EntityAttributesFilter, EntityRoleFilter=
, NameIDFormatFilter, and PredicateMetadataFilter .
<Meta= dataFilter xsi:type=3D"SignatureValidation" requireSignedRoot=3D"true" =09certificateFile=3D"${idp.home}/credentials/signer.pem"/>
<Meta= dataFilter xsi:type=3D"SignatureValidation" requireSignedRoot=3D"true"> <PublicKey> MIIBI..... </PublicKey> </MetadataFilter>
<Meta= dataFilter xsi:type=3D"SignatureValidation" requireSignedRoot=3D"true"> <security:TrustEngine id=3D"SignerTrustEngine" xsi:type=3D"security:= StaticExplicitKeySignature"> <security:Credential id=3D"SignerCredential" xsi:type=3D"securit= y:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer.pem&= lt;/security:Certificate> </security:Credential> </security:TrustEngine> </MetadataFilter>
<Meta= dataFilter xsi:type=3D"SignatureValidation" requireSignedRoot=3D"true"> <security:TrustEngine id=3D"SignerTrustEngine" xsi:type=3D"security:= StaticExplicitKeySignature"> <security:Credential id=3D"SignerCredential_1" xsi:type=3D"secur= ity:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer1.pem= </security:Certificate> </security:Credential> <security:Credential id=3D"SignerCredential_2" xsi:type=3D"secur= ity:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer2.pem= </security:Certificate> </security:Credential> </security:TrustEngine> </MetadataFilter>
<Meta= dataFilter xsi:type=3D"SignatureValidation" requireSignedRoot=3D"true"> <security:TrustEngine id=3D"VTSignerTrustEngine" xsi:type=3D"securit= y:StaticPKIXSignature"> <security:TrustedName>shib</security:TrustedName> <security:ValidationInfo id=3D"VTPKIXValidationInfo" xsi:type=3D= "security:PKIXResourceBacked"> <security:Certificate>${idp.home}/credentials/vtmwca.pem&= lt;/security:Certificate> </security:ValidationInfo> </security:TrustEngine> </MetadataFilter>