Namespace:urn:mace:shibboleth:2.0:metadata
Schema:http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
Overview
...
Localtabgroup |
---|
Localtab live |
---|
active | true |
---|
title | XML Attributes |
---|
|
Name / Type / Default | Description |
---|
requireSignedRoot Boolean true | If true, this fails to load metadata with no signature on the root XML element. | alwaysVerifyTrustedSource Boolean false | If true, the root signature of the metadata currently being processed will always be verified. If false, then the root signature will be verified unless the metadata source is "trusted", defined as: | certificateFile File pathname | Path to a certificate file whose key is used to verify the signature. Conflicts with trustEngineRef and both allowable child elements. | trustEngineRef Bean ID | Bean ID of a <security:TrustEngine> defined somewhere else in the configuration. Conflicts with certificateFile and both allowable child elements. | defaultCriteriaRef Bean ID shibboleth.MetadataSignatureValidationStaticCriteria | (ADVANCED, not generally needed) Bean ID of an externally defined CriteriaSet used as input the to the trust engine | signaturePrevalidatorRef Bean ID SAMLSignatureProfileValidator | (ADVANCED, not generally needed) Bean ID of an externally defined SignaturePrevalidator. Used to perform pre-validation of an XML Signature, for example to validate that the signature conforms to a particular profile of XML Signature. | dynamicTrustedNamesStrategyRef Bean ID BasicDynamicTrustedNamesStrategy | (ADVANCED, not generally needed) Bean ID of an externally defined Function<XMLObject, Set<String>>. This will be used to extract dynamic trusted names from signed metadata elements. |
One of the following two child elements may be configured. Their use conflicts with the certificateFile and trustEngineRef XML attributes. Name | Description |
---|
<PublicKey> | A PEM-format public key. You can obtain a public key from a certificate using a command such as: Code Block |
---|
| language | bash$ openssl x509 -pubkey -in cert.pem -noout
---|
<security:TrustEngine>
| A trust engine plugin that defines how the signature is to be checked |
|
...
Code Block |
---|
|
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
<PublicKey>
MIIBI.....
</PublicKey>
</MetadataFilter>
|
Metadata Provider with inline trust engine
...