Namespace:urn:mace:shibboleth:2.0:metadata
Schema:http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
| Table of Contents |
|---|
| minLevel | 1 |
|---|
| maxLevel | 3 |
|---|
| outline | false |
|---|
| type | list |
|---|
| printable | false |
|---|
|
...
This example is appropriate for a metadata source containing lots of SPs, a large number of which do not support GCM and/or can't be practically tested. The use of two separate filters is required to simplify the conditional logic and ensure that only the desired SPs receive the GCM extension.
| Expand |
|---|
| title | Apply AES-CBC to all SPs, GCM to a few |
|---|
|
| Code Block |
|---|
| <MetadataFilter xsi:type="Algorithm">
<!-- GCM-supporting SPs. -->
<MetadataFilter xsi:type="Algorithm">
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm" />
<Entity>https://tested.example.org/sp</Entity>
<Entity>https://also-tested.example.org/sp</Entity>
</MetadataFilter>
<!-- Tag everything with CBC. -->
<MetadataFilter xsi:type="Algorithm">
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<ConditionRef>shibboleth.Conditions.TRUE</ConditionRef>
</MetadataFilter>
|
|
The second example is sensible for a smaller metadata source for which the bulk of the SPs are assumed to support GCM and/or can practically be tested prior to deployment to identify the exceptions. This is just a straightforward application of CBC to the non-supporting systems. Note that it only works if the metadata as a whole does not already include the GCM algorithm extension already for every SP.
| Expand |
|---|
| title | Apply AES-CBC to Exceptions |
|---|
|
| Code Block |
|---|
| <MetadataFilter xsi:type="Algorithm">
<!-- CBC-only SPs. -->
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<Entity>https://broken.example.org/sp</Entity>
<Entity>https://also-broken.example.org/sp</Entity>
</MetadataFilter>
|
|
...