...
Schema validation is off by default and is enabled via a metadata provider filter. Federation operators therefore cannot know for certain whether particular IdPs will fail or not based solely on validation errors, but most will not.
...
All validUntil
and cacheDuration
attributes within a metadata document are inspected with the shortest determining when the IdP will next attempt to refresh the metadata. For example, if the shortest cacheDuration
in the document is 30 minutes and the nearest validUntil
date is 5 days away than the metadata will be refreshed in 30 minutes. Some metadata providers may provide additional parameters to further control metadata refresh behavior.
...
Schema validation is off by default and is enabled via a configuration setting (see NativeSPMetadataProvider). Federation operators therefore cannot know for certain whether particular SPs will fail or not based solely on validation errors, but most will not.
...
Panel | ||
---|---|---|
| ||
While there is mention of Debian and derivatives (Ubuntu, etc.) in this section, only those GNU/Linux distributions listed on NativeSPLinuxInstall are officially supported by the Shibboleth project. Debian packages are supported by the Debian project and/or the DebianShibboleth Team. |
...
XmlSecTool
Using the contributed XmlSecTool to check for Schema-validity (also checks for well-formedness):
...
Shibboleth Service Provider
The XML
MetadataProvider used by most deployers can optionally schema-validate the metadata it attempts to load, and will prevent loading of schema-invalid Metadata, as well as report complaints to the log (or console) during startup or configuration checks. Simply include the validate="true"
attribute in the <MetadataProvider>
element:
...
For Windows-based systems use:
No Format |
---|
shibd -check |
See NativeSPshibd for a complete documentation of all shibd
options.
...
XmlSecTool
Using the contributed XmlSecTool to verify a signature:
No Format |
---|
xmlsectool.sh --verifySignature --certificate metadata-signing.crt --inFile example-metadata.xml |
...
On Red Hat install via yum install xmlsec1 xmlsec1-openssl
. Note that on a RHEL5.5 system Unlicensed user peter additionally had to create a symlink for the openssl engine library, e.g.:
...
Shibboleth Software
Both the Shibboleth IdP and Shibboleth SP support the use of "filters" to perform digital signature verification when loading metadata. For the Shibboleth SP, the same procedure documented above involving shibd configuration checks can be used to manually evaluate the result of the filtering process.
...