The Shibboleth IdP V4 software will leave support on September 1, 2024.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Current »

Namespace: urn:mace:shibboleth:2.0:metadata
Schema: http://shibboleth.net/schema/idp/shibboleth-metadata.xsd

Overview

The SignatureValidation filter verifies that a metadata instance is signed correctly with a trusted key, and is the linchpin of the security of most Shibboleth deployments.

The "Sign and Expire" distribution model

In practice, a SignatureValidation filter and a RequiredValidUntilFilter filter are often used together to securely obtain remote metadata via HTTP. See the FileBackedHTTPMetadataProvider and DynamicHTTPMetadataProvider topics for explicit configuration examples. Other distribution models are discussed in the TrustManagement topic.

There are four approaches to supplying a trust policy to the SignatureValidation filter:

  • A pointer to a certificate file

  • A reference to an externally defined TrustEngine bean

  • An inline <PublicKey> element

  • An inline <security:TrustEngine> element

Filter order is important!

In the overall sequence of filters, a filter of type SignatureValidation must appear before any filter that alters the metadata instance. Examples of the latter include EntityAttributesFilter, EntityRoleFilter, NameIDFormatFilter, and PredicateMetadataFilter .

Reference

Examples

Externally specified certificate file
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
	certificateFile="${idp.home}/credentials/signer.pem"/>
Inline key
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
  <PublicKey>
    MIIBI.....
  </PublicKey>
</MetadataFilter>
Metadata Provider with inline trust engine
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
    <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="SignerCredential" xsi:type="security:X509ResourceBacked">
            <security:Certificate>${idp.home}/credentials/signer.pem</security:Certificate>
        </security:Credential>
    </security:TrustEngine>
</MetadataFilter>
Metadata Provider with inline trust engine with multiple validation credentials
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
    <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="SignerCredential_1" xsi:type="security:X509ResourceBacked">
            <security:Certificate>${idp.home}/credentials/signer1.pem</security:Certificate>
        </security:Credential>
        <security:Credential id="SignerCredential_2" xsi:type="security:X509ResourceBacked">
            <security:Certificate>${idp.home}/credentials/signer2.pem</security:Certificate>
        </security:Credential>
    </security:TrustEngine>
</MetadataFilter>
PKIX signature validation with static trust anchors
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
    <security:TrustEngine id="VTSignerTrustEngine" xsi:type="security:StaticPKIXSignature">
        <security:TrustedName>shib</security:TrustedName>
        <security:ValidationInfo id="VTPKIXValidationInfo" xsi:type="security:PKIXResourceBacked">
            <security:Certificate>${idp.home}/credentials/vtmwca.pem</security:Certificate>
        </security:ValidationInfo>
    </security:TrustEngine>
</MetadataFilter>
  • No labels