Namespace: urn:mace:shibboleth:2.0:metadata
Schema: http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
Overview
The SignatureValidation
filter verifies that a metadata instance is signed correctly with a trusted key, and is the linchpin of the security of most Shibboleth deployments.
The "Sign and Expire" distribution model
SignatureValidation
filter and a RequiredValidUntil
filter are often used together to securely obtain remote metadata via HTTP. See the FileBackedHTTPMetadataProvider
and DynamicHTTPMetadataProvider
topics for explicit configuration examples. Other distribution models are discussed in the TrustManagement topic.There are four approaches to supplying a trust policy to the SignatureValidation
filter:
- A pointer to a certificate file
- A reference to an externally defined TrustEngine bean
- An inline
<PublicKey>
element - An inline
<security:TrustEngine>
element
Filter order is important!
In the overall sequence of filters, a filter of type SignatureValidation
must appear before any filter that alters the metadata instance. Examples of the latter include EntityAttributesFilter, EntityRoleFilter, NameIDFormatFilter, and PredicateMetadataFilter.
Reference
Examples
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/credentials/signer.pem"/>
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <PublicKey> MIIBI..... </PublicKey> </MetadataFilter>
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="SignerCredential" xsi:type="security:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer.pem</security:Certificate> </security:Credential> </security:TrustEngine> </MetadataFilter>
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="SignerCredential_1" xsi:type="security:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer1.pem</security:Certificate> </security:Credential> <security:Credential id="SignerCredential_2" xsi:type="security:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer2.pem</security:Certificate> </security:Credential> </security:TrustEngine> </MetadataFilter>
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <security:TrustEngine id="VTSignerTrustEngine" xsi:type="security:StaticPKIXSignature"> <security:TrustedName>shib</security:TrustedName> <security:ValidationInfo id="VTPKIXValidationInfo" xsi:type="security:PKIXResourceBacked"> <security:Certificate>${idp.home}/credentials/vtmwca.pem</security:Certificate> </security:ValidationInfo> </security:TrustEngine> </MetadataFilter>