Namespace:urn:mace:shibboleth:2.0:metadata
Schema:http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
Table of Contents |
---|
Overview
A filter of type Algorithm
adds extension elements defined by the SAML V2.0 Metadata Profile for Algorithm Support, which the IdP supports as a means of determining the best cryptographic algorithms to use when communicating with a particular relying party. It is the only practical mechanism whereby newer algorithms can be safely deployed without breaking interoperability.
This filter is typically used to add algorithm extensions to remote metadata at runtime. The filter is usually applied to an HTTP metadata provider such as the FileBackedHTTPMetadataProvider
or the DynamicHTTPMetadataProvider
, since locally-maintained metadata can generally be edited directly.
...
To use the Algorithm
filter, sequences of these "method" elements are supplied as filter content. When a child element such as <Entity>
or <ConditionRef>
or <ConditionScript>
evaluates to true, the "method" elements are applied to the corresponding metadata in the appropriate location.
Note |
---|
Filter order is important!This filter changes the content of the metadata and so a filter of type |
Tip |
---|
Position the Algorithm filter for efficiencyDeliberately position an |
Other Relevant Schemas
The schema for the <alg:DigestMethod>
and <alg:SigningMethod>
extension elements is part of the OASIS SAML V2.0 Metadata Profile for Algorithm Support specification.
...
The most complex aspect of this filter, aside from actually understanding the algorithms to specify and what they're actually called, is that the XML gets more complex than most people are used to because of the variety of namespaces involved. The similarities, and sometimes subtle differences, between the URIs for the namespaces and the URIs of the algorithms is also a source of constant pain. The XML Signature and Encryption 1.0 and 1.1 standards are very complex and specifying things requires careful attention to detail in some cases.
Tip | |
---|---|
title | Update NoteThe root element of the conf/metadata-providers.xml file in the distribution has been updated to contain a number of namespace declarations and schema locations to properly reference the relevant schemas for this feature. It is advisable to update your local copy with the new example after an upgrade from V3 if you want to use this filter. |
...
A useful set of references and an incomplete set of some of the important algorithms defined within them:
XML Signature 1.0 (see 1.1 for the actual latest formal spec)
SHA-1 DigestMethod
RSA with SHA-1 SigningMethod
SHA-224, SHA-384 DigestMethod variants
RSA with SHA-2 SigningMethod variants
ECDSA SigningMethod variants
XML Encryption 1.0 (see 1.1 for the actual latest formal spec)
SHA-256 DigestMethod
AES-CBC EncryptionMethod for data
RSA-OAEP-MGF1 with SHA-1 digest and MGF EncryptionMethod for keys
AES-GCM EncryptionMethod
RSA-OAEP with variable digest and MGF EncryptionMethod for keys
In most cases, all that's necessary to define use of a digest or signing algorithm is for the enclosing extension element to carry an Algorithm
XML attribute containing the proper URI. You should get some warnings if an improper or unsupported URI is used.
...
Note |
---|
It is unsafe and undefined to use Spring properties (%{foo}) in any of the content for this filter. |
XML Elements
Name | Description |
---|---|
| Elements added to the |
| Element added to every encryption-applicable |
| The textual content is an entityID. All preceding extensions are added to the matching entity. |
| The textual content is |
the Bean ID of type Predicate | |
The content of this element is an inline or local script resource that implements Predicate |
Examples
Note |
---|
Note the examples assume a set of XML namespace declarations in the top of the configuration that match the new shipping defaults in this release. |
...
This example is appropriate for a metadata source containing lots of SPs, a large number of which do not support GCM and/or can't be practically tested.
Code Blockexpand | |||||||
---|---|---|---|---|---|---|---|
| |||||||
| true
|
The second example is sensible for a smaller metadata source for which the bulk of the SPs are assumed to support GCM and/or can practically be tested prior to deployment to identify the exceptions. This is just a straightforward application of CBC to the non-supporting systems.
Code Blockexpand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
| collapse
| true
|
The last example is a more comprehensive illustration of some of the fancier things that can be done.
Expand | |||||||||
---|---|---|---|---|---|---|---|---|---|
| collapse | true
|