Namespace:urn:mace:shibboleth:2.0:metadata
Schema:http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
Overview
...
Note |
---|
Filter order is important! In the overall sequence of filters, a filter of type SignatureValidation must appear before any filter that alters the metadata instance. Examples of the latter include EntityAttributesFilter, EntityRoleFilter, NameIDFormatFilter, and PredicateMetadataFilter . |
Reference
Localtabgroup |
---|
Localtab live |
---|
active | true |
---|
Expand |
---|
|
Name / Type / Default | Description |
---|
requireSignedRoot Boolean true | If true, this fails to load metadata with no signature on the root XML element. | alwaysVerifyTrustedSource Boolean false | If true, the root signature of the metadata currently being processed will always be verified. If false, then the root signature will be verified unless the metadata source is "trusted", defined as: | certificateFile File pathname | Path to a certificate file whose key is used to verify the signature. Conflicts with trustEngineRef and both allowable child elements. | trustEngineRef Bean ID | Bean ID of a <security:TrustEngine> defined somewhere else in the configuration. Conflicts with certificateFile and both allowable child elements. | defaultCriteriaRef Bean ID shibboleth.MetadataSignatureValidationStaticCriteria | (ADVANCED, not generally needed) Bean ID of an externally defined CriteriaSet used as input the to the trust engine | signaturePrevalidatorRef Bean ID SAMLSignatureProfileValidator | (ADVANCED, not generally needed) Bean ID of an externally defined SignaturePrevalidator. Used to perform pre-validation of an XML Signature, for example to validate that the signature conforms to a particular profile of XML Signature. | dynamicTrustedNamesStrategyRef Bean ID BasicDynamicTrustedNamesStrategy | (ADVANCED, not generally needed) Bean ID of an externally defined Function<XMLObject, Set<String>>. This will be used to extract dynamic trusted names from signed metadata elements. |
localtab-live |
Expand |
---|
|
One of the following two child elements may be configured. Their use conflicts with the certificateFile and trustEngineRef XML attributes. Name | Description |
---|
<PublicKey> | A PEM-format public key. You can obtain a public key from a certificate using a command such as: $ openssl x509 -pubkey -in cert.pem -noout
| <security:TrustEngine>
| A trust engine plugin that defines how the signature is to be checked |
|
...