Versions Compared

Old Version 12

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 13

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Namespace:urn:mace:shibboleth:2.0:metadata
Schema:http://shibboleth.net/schema/idp/shibboleth-metadata.xsd

Table of Contents

Overview

The SignatureValidation filter verifies that a metadata instance is signed correctly with a trusted key, and is the linchpin of the security of most Shibboleth deployments.

Info
title

The "Sign and Expire" distribution model

In practice, a SignatureValidation filter and a

RequiredValidUntil

RequiredValidUntilFilter filter are often used together to securely obtain remote metadata via HTTP. See

the 

the FileBackedHTTPMetadataProvider

and 

and DynamicHTTPMetadataProvider topics for explicit configuration examples. Other distribution models are discussed in the TrustManagement topic.

There are four approaches to supplying a trust policy to the SignatureValidation filter:

  • A pointer to a certificate file

  • A reference to an externally defined TrustEngine bean

  • An inline <PublicKey> element

  • An inline <security:TrustEngine> element

title
Note

Filter order is important!

In the overall sequence of filters, a filter of type SignatureValidation must appear before any filter that alters the metadata instance. Examples of the latter include EntityAttributesFilter, EntityRoleFilter, NameIDFormatFilter, and PredicateMetadataFilter .

Reference

Localtabgroup
Localtab live
activetrue
titleXML Attributes


Name / Type / Default

Description

requireSignedRoot

Boolean

true

If true, this fails to load metadata with no signature on the root XML element.

alwaysVerifyTrustedSource

Boolean

false

If true, the root signature of the metadata currently being processed will always be verified.

If false, then the root signature will be verified unless the metadata source is "trusted", defined as:

certificateFile

File pathname

Path to a certificate file whose key is used to verify the signature.

Conflicts with trustEngineRef and both allowable child elements.

trustEngineRef

Bean ID

Bean ID of a <security:TrustEngine> defined somewhere else in the configuration.

Conflicts with certificateFile and both allowable child elements.

defaultCriteriaRef

Bean ID

shibboleth.MetadataSignatureValidationStaticCriteria

(ADVANCED, not generally needed)

Bean ID of an externally defined CriteriaSet used as input the to the trust engine

signaturePrevalidatorRef

Bean ID

SAMLSignatureProfileValidator

(ADVANCED, not generally needed)

Bean ID of an externally defined SignaturePrevalidator. Used to perform pre-validation of an XML Signature, for example to validate that the signature conforms to a particular profile of XML Signature.

dynamicTrustedNamesStrategyRef

Bean ID

BasicDynamicTrustedNamesStrategy

(ADVANCED, not generally needed)

Bean ID of an externally defined Function<XMLObject, Set<String>>. This will be used to extract dynamic trusted names from signed metadata elements.

Localtab live
titleXML Elements

One of the following two child elements may be configured. Their use conflicts with the certificateFile and trustEngineRef XML attributes.

Name

Description

<PublicKey>

A PEM-format public key.

You can obtain a public key from a certificate using a command such as:

Code Block
languagebash
$ openssl x509 -pubkey -in cert.pem -noout


<security:TrustEngine>

A trust engine plugin that defines how the signature is to be checked



Examples

Externally specified certificate file
Code Block
languagexml
titleExternally specified certificate file
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
	certificateFile="${idp.home}/credentials/signer.pem"/>


Inline key
title
Code Block
languagexml
titleInline key
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
  <PublicKey>
    MIIBI.....
  </PublicKey>
</MetadataFilter>
Code Block
languagexml

Metadata Provider with inline trust engine
 Code Block
languagexml
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
    <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="SignerCredential" xsi:type="security:X509ResourceBacked">
            <security:Certificate>${idp.home}/credentials/signer.pem</security:Certificate>
        </security:Credential>
    </security:TrustEngine>
</MetadataFilter>
 Code Block
languagexml
title

Metadata Provider with inline trust engine with multiple validation credentials
title
 Code Block
languagexml
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
    <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="SignerCredential_1" xsi:type="security:X509ResourceBacked">
            <security:Certificate>${idp.home}/credentials/signer1.pem</security:Certificate>
        </security:Credential>
        <security:Credential id="SignerCredential_2" xsi:type="security:X509ResourceBacked">
            <security:Certificate>${idp.home}/credentials/signer2.pem</security:Certificate>
        </security:Credential>
    </security:TrustEngine>
</MetadataFilter>
 Code Block
languagexml

PKIX signature validation with static trust anchors
 Code Block
languagexml
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
    <security:TrustEngine id="VTSignerTrustEngine" xsi:type="security:StaticPKIXSignature">
        <security:TrustedName>shib</security:TrustedName>
        <security:ValidationInfo id="VTPKIXValidationInfo" xsi:type="security:PKIXResourceBacked">
            <security:Certificate>${idp.home}/credentials/vtmwca.pem</security:Certificate>
        </security:ValidationInfo>
    </security:TrustEngine>
</MetadataFilter>
...