Versions Compared

Old Version 10

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 11

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: maxValidityInterval changed for UK Federation example from integer to duration

...

Expand
Show Example
Show Example
Code Block
xml
xml
<!-- Chaining metadata provider defined in the default IdP relying-party configuration file -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
                  xmlns="urn:mace:shibboleth:2.0:metadata">

    <!-- Load the UK metadata -->
    <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider"
                      xmlns="urn:mace:shibboleth:2.0:metadata" 
                      metadataURL="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"
                      backingFile="/opt/shibboleth-idp/metadata/ukfederation-metadata.xml">

        <!-- Using chaining filter to allow us multiple filters to be added -->
        <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">

            <!-- Ensure the metadata has a reasonable (1 week) validity period. -->
            <MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata" 
                            maxValidityInterval="604800P30D" />

            <!-- 
                Ensure metadata is signed and use the 'shibboleth.MetadataTrustEngine' 
                to determine its trustworthiness 
            -->
            <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
                            trustEngineRef="shibboleth.MetadataTrustEngine"
                            requireSignedMetadata="true" />

        </MetadataFilter>
    </MetadataProvider>

    <!-- Load the Swiss metadata -->
    <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider"
                      xmlns="urn:mace:shibboleth:2.0:metadata" 
                      metadataURL="http://metadata.aai.switch.ch/metadata.switchaai.xml"
                      backingFile="/opt/shibboleth-idp/metadata/metadata.switchaai.xml">

        <!-- Using chaining filter to allow us multiple filters to be added -->
        <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">

            <!-- Ensure the metadata has a reasonable (1 week) validity period. -->
            <MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata" 
                            maxValidityInterval="604800" />

            <!-- 
                Ensure metadata is signed and use the 'shibboleth.MetadataTrustEngine' 
                to determine its trustworthiness 
            -->
            <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
                            trustEngineRef="shibboleth.MetadataTrustEngine"
                            requireSignedMetadata="true" />

        </MetadataFilter>
    </MetadataProvider>

</MetadataProvider>

<!-- Define the shibboleth.MetadataTrustEngine used to evaluate the trustworthiness of metadata -->
<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">

    <!-- Trust metadata signed by UK federation cert -->
    <security:Credential id="UKFederationCredential" xsi:type="security:X509Filesystem">
        <security:Certificate>/opt/shibboleth-idp/credentials/ukfederation.crt</security:Certificate>
    </security:Credential>

    <!-- Trust metadata signed by Swiss federation cert -->
    <security:Credential id="CHFederationCredential" xsi:type="security:X509Filesystem">
        <security:Certificate>/opt/shibboleth-idp/credentials/chfederation.crt</security:Certificate>
    </security:Credential>
</security:TrustEngine>

...