Namespace: urn:mace:shibboleth:2.0:metadata
Schema: http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
The SignatureValidation
filter verifies that a metadata instance is signed correctly with a trusted key, and is the linchpin of the security of most Shibboleth deployments.
The "Sign and Expire" distribution model In practice, a |
There are four approaches to supplying a trust policy to the SignatureValidation
filter:
A pointer to a certificate file
A reference to an externally defined TrustEngine bean
An inline <PublicKey>
element
An inline <security:TrustEngine>
element
Filter order is important! In the overall sequence of filters, a filter of type |
|
One of the following two child elements may be configured. Their use conflicts with the
|
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/credentials/signer.pem"/> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <PublicKey> MIIBI..... </PublicKey> </MetadataFilter> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="SignerCredential" xsi:type="security:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer.pem</security:Certificate> </security:Credential> </security:TrustEngine> </MetadataFilter> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="SignerCredential_1" xsi:type="security:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer1.pem</security:Certificate> </security:Credential> <security:Credential id="SignerCredential_2" xsi:type="security:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer2.pem</security:Certificate> </security:Credential> </security:TrustEngine> </MetadataFilter> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <security:TrustEngine id="VTSignerTrustEngine" xsi:type="security:StaticPKIXSignature"> <security:TrustedName>shib</security:TrustedName> <security:ValidationInfo id="VTPKIXValidationInfo" xsi:type="security:PKIXResourceBacked"> <security:Certificate>${idp.home}/credentials/vtmwca.pem</security:Certificate> </security:ValidationInfo> </security:TrustEngine> </MetadataFilter> |