<!-- Chaining metadata provider defined in the default IdP relying-party configuration file -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata">
<!--
Refresh the InCommon production metadata aggregate every hour.
Note: The defaults for minRefreshDelay, maxRefreshDelay, and refreshDelayFactor
are "PT5M", "PT4H", and "0.75", respectively. The default for maxRefreshDelay
has been changed below, so that the metadata is refreshed every hour ("PT1H").
The other properties merely regurgitate their default values.
-->
<MetadataProvider id="ICMD" xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml"
backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml"
minRefreshDelay="PT5M"
maxRefreshDelay="PT1H"
refreshDelayFactor="0.75">
<!-- Use a chaining filter to allow multiple filters to be added -->
<MetadataFilter xsi:type="ChainingFilter">
<!--
Require a validUntil XML attribute on the EntitiesDescriptor element
and make sure its value is no more than 14 days into the future
-->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" />
<!--
Require the metadata to be signed and use the trust engine
labeled id="ICTrust" to determine its trustworthiness
-->
<MetadataFilter xsi:type="SignatureValidation"
trustEngineRef="ICTrust" requireSignedMetadata="true" />
<!-- Consume all SP metadata in the aggregate -->
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
</MetadataProvider>
</MetadataProvider>
<!--
This TrustEngine (beneath the Security Configuration section) is an
implementation of the Explicit Key Trust Model (https://spaces.internet2.edu/x/t43NAQ).
To bootstrap the trust fabric of the federation, each relying party
obtains and configures an authentic copy of the federation operator’s
Metadata Signing Certificate (https://spaces.internet2.edu/x/moHFAg).
Fetch the InCommon metadata signing certificate and check its integrity:
$ /usr/bin/curl --silent http://md.incommon.org/certs/inc-md-cert.pem \
| /usr/bin/tee /opt/shibboleth-idp/credentials/inc-md-cert.pem \
| /usr/bin/openssl x509 -sha1 -noout -fingerprint
SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD
-->
<security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/inc-md-cert.pem</security:Certificate>
</security:Credential>
</security:TrustEngine>
|