The SignatureValidation
filter verifies that a metadata instance is signed correctly with a trusted key, and is the linchpin of the security of most Shibboleth deployments.
In practice, a SignatureValidation filter and a RequiredValidUntil filter are often used together to securely obtain remote metadata via HTTP. See the FileBackedHTTPMetadataProvider and DynamicHTTPMetadataProvider topics for explicit configuration examples. Other distribution models are discussed in the TrustManagement topic. |
There are four approaches to supplying the trust policy to the SignatureValidation
filter:
<PublicKey>
element<security:TrustEngine>
elementIn the overall sequence of filters, a filter of type |
The <MetadataFilter>
element and the type SignatureValidation
are defined by the urn:mace:shibboleth:2.0:metadata
schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.
The <security:TrustEngine>
element is defined in the urn:mace:shibboleth:2.0:security
namespace, the schema for which is located at http://shibboleth.net/schema/idp/shibboleth-security.xsd
Name | Type | Default | Description |
---|---|---|---|
| Boolean | true | If true, this fails to load metadata with no signature on the root XML element. |
| Boolean | true | (DEPRECATED) Old version of |
| File | Path to a certificate file whose key is used to verify the signature. | |
| Bean Reference | shibboleth.MetadataSignatureValidationStaticCriteria | The ID of an externally defined CriteriaSet used as input the to the trust engine, not generally used. |
| Bean Reference | SAMLSignatureProfileValidator | The ID of an externally defined SignaturePrevalidator. Used to perform pre-validation of an XML Signature, for example to validate that the signature conforms to a particular profile of XML Signature. |
| Bean Reference | BasicDynamicTrustedNamesStrategy | The ID of an externally defined Function<XMLObject, Set<String>>. This will be used to extract dynamic trusted names from signed metadata elements. |
| Bean Reference | The ID of a <security:TrustEngine> defined somewhere else in the configuration.Conflicts with certificateFile and both of the child elements. |
One of the following two child elements may be configured. Their use conflicts with the certificateFile
and trustEngineRef
XML attributes.
Name | Description | |
---|---|---|
| A PEM-format public key. You can obtain a public key from a certificate using a command such as:
| |
A trust engine plugin that defines how the signature is to be checked |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/credentials/signer.pem"/> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <PublicKey> MIIBI..... </PublicKey> </MetadataFilter> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="SignerCredential" xsi:type="security:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer.pem</security:Certificate> </security:Credential> </security:TrustEngine> </MetadataFilter> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="SignerCredential_1" xsi:type="security:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer1.pem</security:Certificate> </security:Credential> <security:Credential id="SignerCredential_2" xsi:type="security:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer2.pem</security:Certificate> </security:Credential> </security:TrustEngine> </MetadataFilter> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <security:TrustEngine id="VTSignerTrustEngine" xsi:type="security:StaticPKIXSignature"> <security:TrustedName>shib</security:TrustedName> <security:ValidationInfo id="VTPKIXValidationInfo" xsi:type="security:PKIXResourceBacked"> <security:Certificate>${idp.home}/credentials/vtmwca.pem</security:Certificate> </security:ValidationInfo> </security:TrustEngine> </MetadataFilter> |