<!-- Chaining metadata provider defined in the default IdP relying-party configuration file -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata">
<!-- Load the UK metadata -->
<MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"
backingFile="/opt/shibboleth-idp/metadata/ukfederation-metadata.xml">
<!-- Using chaining filter to allow us multiple filters to be added -->
<MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
<!-- Ensure the metadata has a reasonable (1 week) validity period. -->
<MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata"
maxValidityInterval="604800P30D" />
<!--
Ensure metadata is signed and use the 'shibboleth.MetadataTrustEngine'
to determine its trustworthiness
-->
<MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="shibboleth.MetadataTrustEngine"
requireSignedMetadata="true" />
</MetadataFilter>
</MetadataProvider>
<!-- Load the Swiss metadata -->
<MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://metadata.aai.switch.ch/metadata.switchaai.xml"
backingFile="/opt/shibboleth-idp/metadata/metadata.switchaai.xml">
<!-- Using chaining filter to allow us multiple filters to be added -->
<MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
<!-- Ensure the metadata has a reasonable (1 week) validity period. -->
<MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata"
maxValidityInterval="604800" />
<!--
Ensure metadata is signed and use the 'shibboleth.MetadataTrustEngine'
to determine its trustworthiness
-->
<MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="shibboleth.MetadataTrustEngine"
requireSignedMetadata="true" />
</MetadataFilter>
</MetadataProvider>
</MetadataProvider>
<!-- Define the shibboleth.MetadataTrustEngine used to evaluate the trustworthiness of metadata -->
<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
<!-- Trust metadata signed by UK federation cert -->
<security:Credential id="UKFederationCredential" xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/ukfederation.crt</security:Certificate>
</security:Credential>
<!-- Trust metadata signed by Swiss federation cert -->
<security:Credential id="CHFederationCredential" xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/chfederation.crt</security:Certificate>
</security:Credential>
</security:TrustEngine>
|