Versions Compared

Old Version 14

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 15

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Namespace:urn:mace:shibboleth:2.0:metadata
Schema:http://shibboleth.net/schema/idp/shibboleth-metadata.xsd

Table of Contents

Overview

The SignatureValidation filter verifies that a metadata instance is signed correctly with a trusted key, and is the linchpin of the security of most Shibboleth deployments.

Info

The "Sign and Expire" distribution model

In practice, a SignatureValidation filter and a RequiredValidUntilFilter filter are often used together to securely obtain remote metadata via HTTP. See the FileBackedHTTPMetadataProvider and DynamicHTTPMetadataProvider topics for explicit configuration examples. Other distribution models are discussed in the TrustManagement topic.

...

  • A pointer to a certificate file

  • A reference to an externally defined TrustEngine bean

  • An inlineĀ <PublicKey> element

  • An inlineĀ <security:TrustEngine> element

Note

Filter order is important!

In the overall sequence of filters, a filter of type SignatureValidation must appear before any filter that alters the metadata instance. Examples of the latter include EntityAttributesFilter, EntityRoleFilter, NameIDFormatFilter, and PredicateMetadataFilter .

...