Versions Compared

Old Version 8

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 9

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Anchor
ex-uk-swiss
ex-uk-swiss

...

Load UK and Swiss Metadata

Contributed by: Chad La Joie, SWITCH, Switzerland

...

The following example demonstrates fetching how to fetch the InCommon Federation production metadata aggregate from a URL, storing store a back up copy locally, and ensuring ensure that the metadata is properly signed and has a reasonable validity period. This process is repeated every hour.

Expand
Show Example
Show Example
Code Block
xml
xml
<!-- Chaining metadata provider defined in the default IdP relying-party configuration file -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
                  xmlns="urn:mace:shibboleth:2.0:metadata"
  id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider">

  <!-- Refresh the InCommon production metadata aggregate every hour -->
  <MetadataProvider id="ICMD" xsi:type="FileBackedHTTPMetadataProvider"
                    xmlns="urn:mace:shibboleth:2.0:metadata"
             id="ICMD" xsi:type="FileBackedHTTPMetadataProvider" maxRefreshDelay="PT1H"     metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml"
                    backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml"
                    maxRefreshDelay="PT1H">

    <!-- Use a chaining filter to allow multiple filters to be added -->
    <MetadataFilter xsi:type="ChainingFilter">

        <!--
          Require a validUntil XML attribute on the EntitiesDescriptor element
          and make sure its value is no more than 14 days into the future 
        -->
        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" />

        <!--
          Require the metadata to be signed and use the trust engine
          labeled id="ICTrust" to determine its trustworthiness
        -->
        <MetadataFilter xsi:type="SignatureValidation" 
                        trustEngineRef="ICTrust" requireSignedMetadata="true" />

        <!-- Consume all SP metadata in the aggregate -->
        <MetadataFilter xsi:type="EntityRoleWhiteList">
          <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
        </MetadataFilter>
 
    </MetadataFilter>
  </MetadataProvider>

</MetadataProvider>

<!--

   This TrustEngine (beneath the Security Configuration section) is an 
   implementation of the Explicit Key Trust Model, that is, trust is
    based solely on the metadata signing key, not the certificate
    that contains that key.
-->
<security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature">

  <!--
    (https://spaces.internet2.edu/x/t43NAQ).
 
  To bootstrap the trust fabric of the federation, each relying party 
  obtains and configures an authentic copy of the federation operator’s 
  Metadata Signing Certificate (https://spaces.internet2.edu/x/moHFAg).
 
  Fetch the InCommon metadata signing certificate and check its integrity:
   
   $ /usr/bin/curl --silent http://md.incommon.org/certs/inc-md-cert.pem \
          | /usr/bin/tee /opt/shibboleth-idp/credentials/inc-md-cert.pem \
          | /usr/bin/openssl x509 -sha1 -noout -fingerprint
   
  SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD
-->
 --><security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature">

  <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
    <security:Certificate>/opt/shibboleth-idp/credentials/inc-md-cert.pem</security:Certificate>
  </security:Credential>
</security:TrustEngine>