The SignatureValidation
filter verifies that a metadata instance is signed correctly with a trusted key, and is the linchpin of the security of most Shibboleth deployments.
There are four approaches to supplying the trust policy to the filter:
- A pointer to a certificate file
- A reference to an externally defined TrustEngine bean
- An inline
<PublicKey>
element - An inline
<security:TrustEngine>
element
Filter order is important!
In the overall sequence of filters, a filter of type SignatureValidation
must appear before any filter that alters the metadata instance. Examples of the latter include EntityAttributesFilter, EntityRoleWhiteListFilter, NameIDFormatFilter, and PredicateMetadataFilter.
Schema
The <MetadataFilter>
element and the type SignatureValidation
are defined by the urn:mace:shibboleth:2.0:metadata
schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.
The <security:TrustEngine>
element is defined in the urn:mace:shibboleth:2.0:security
namespace, the schema for which is located at http://shibboleth.net/schema/idp/shibboleth-security.xsd
Attributes
Name | Type | Default | Description |
---|---|---|---|
| Boolean | true | If true, this fails to load metadata with no signature on the root XML element. |
| Boolean | true | (DEPRECATED) Old version of |
| File | Path to a certificate file whose key is used to verify the signature. | |
| Bean Reference | shibboleth.MetadataSignatureValidationStaticCriteria | The ID of an externally defined CriteriaSet used as input the to the trust engine, not generally used. |
| Bean Reference | SAMLSignatureProfileValidator | The ID of an externally defined SignaturePrevalidator. Used to perform pre-validation of an XML Signature, for example to validate that the signature conforms to a particular profile of XML Signature. |
| Bean Reference | BasicDynamicTrustedNamesStrategy | The ID of an externally defined Function<XMLObject, Set<String>>. This will be used to extract dynamic trusted names from signed metadata elements. |
| Bean Reference | The ID of a <security:TrustEngine> defined somewhere else in the configuration.Conflicts with certificateFile and both of the child elements. |
Child Elements
One of the following two child elements may be configured. Their use conflicts with the certificateFile
and trustEngineRef
XML attributes.
Name | Description |
---|---|
| A PEM-format public key. You can obtain a public key from a certificate using a command such as: $ openssl x509 -pubkey -in cert.pem -noout |
A trust engine plugin that defines how the signature is to be checked |
Examples
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/credentials/signer.pem"/>
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <PublicKey> MIIBI..... </PublicKey> </MetadataFilter>
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="SignerCredential" xsi:type="security:X509Filesystem"> <security:Certificate>${idp.home}/credentials/signer.pem</security:Certificate> </security:Credential> </security:TrustEngine> </MetadataFilter>