Namespace:urn:mace:shibboleth:2.0:metadata
Schema:http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
Overview
The SignatureValidation
filter verifies that a metadata instance is signed correctly with a trusted key, and is the linchpin of the security of most Shibboleth deployments.
There are four approaches to supplying a trust policy to the SignatureValidation
filter:
A pointer to a certificate file
A reference to an externally defined TrustEngine bean
An inline <PublicKey>
element
An inline <security:TrustEngine>
element
Note |
title |
---|
Filter order is important!In the overall sequence of filters, a filter of type SignatureValidation must appear before any filter that alters the metadata instance. Examples of the latter include EntityAttributesFilter, EntityRoleFilter, NameIDFormatFilter, and PredicateMetadataFilter . |
Reference
Localtabgroup |
---|
Localtab live |
---|
active | true |
---|
title | XML Attributes |
---|
|
Name / Type / Default | Description |
---|
requireSignedRoot Boolean true | If true, this fails to load metadata with no signature on the root XML element. | alwaysVerifyTrustedSource Boolean false | If true, the root signature of the metadata currently being processed will always be verified. If false, then the root signature will be verified unless the metadata source is "trusted", defined as: | certificateFile File pathname | Path to a certificate file whose key is used to verify the signature. Conflicts with trustEngineRef and both allowable child elements. | trustEngineRef Bean ID | Bean ID of a <security:TrustEngine> defined somewhere else in the configuration. Conflicts with certificateFile and both allowable child elements. | defaultCriteriaRef Bean ID shibboleth.MetadataSignatureValidationStaticCriteria | (ADVANCED, not generally needed) Bean ID of an externally defined CriteriaSet used as input the to the trust engine | signaturePrevalidatorRef Bean ID SAMLSignatureProfileValidator | (ADVANCED, not generally needed) Bean ID of an externally defined SignaturePrevalidator. Used to perform pre-validation of an XML Signature, for example to validate that the signature conforms to a particular profile of XML Signature. | dynamicTrustedNamesStrategyRef Bean ID BasicDynamicTrustedNamesStrategy | (ADVANCED, not generally needed) Bean ID of an externally defined Function<XMLObject, Set<String>>. This will be used to extract dynamic trusted names from signed metadata elements. |
One of the following two child elements may be configured. Their use conflicts with the certificateFile and trustEngineRef XML attributes. Name | Description |
---|
<PublicKey> | A PEM-format public key. You can obtain a public key from a certificate using a command such as: Code Block |
---|
| $ openssl x509 -pubkey -in cert.pem -noout |
| <security:TrustEngine>
| A trust engine plugin that defines how the signature is to be checked |
|
Examples
Externally specified certificate file
Code Block |
---|
language | xml |
---|
title | Externally specified certificate file |
---|
|
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="${idp.home}/credentials/signer.pem"/> |
Inline key
Code Block |
---|
language | xml |
---|
title | Inline key |
---|
|
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
<PublicKey>
MIIBI.....
</PublicKey>
</MetadataFilter> |
Code Block |
---|
|
language | xml |
title |
Metadata Provider with inline trust engine
Code Block |
---|
|
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
<security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="SignerCredential" xsi:type="security:X509ResourceBacked">
<security:Certificate>${idp.home}/credentials/signer.pem</security:Certificate>
</security:Credential>
</security:TrustEngine>
</MetadataFilter> |
Code Block |
---|
language | xml |
---|
title |
Metadata Provider with inline trust engine with multiple validation credentials
Code Block |
---|
|
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
<security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="SignerCredential_1" xsi:type="security:X509ResourceBacked">
<security:Certificate>${idp.home}/credentials/signer1.pem</security:Certificate>
</security:Credential>
<security:Credential id="SignerCredential_2" xsi:type="security:X509ResourceBacked">
<security:Certificate>${idp.home}/credentials/signer2.pem</security:Certificate>
</security:Credential>
</security:TrustEngine>
</MetadataFilter> |
Code Block |
---|
|
language | xml |
title |
PKIX signature validation with static trust anchors
Code Block |
---|
|
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
<security:TrustEngine id="VTSignerTrustEngine" xsi:type="security:StaticPKIXSignature">
<security:TrustedName>shib</security:TrustedName>
<security:ValidationInfo id="VTPKIXValidationInfo" xsi:type="security:PKIXResourceBacked">
<security:Certificate>${idp.home}/credentials/vtmwca.pem</security:Certificate>
</security:ValidationInfo>
</security:TrustEngine>
</MetadataFilter> |
...