Namespace: urn:mace:shibboleth:2.0:metadata
Schema: http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
The SignatureValidation
filter verifies that a metadata instance is signed correctly with a trusted key, and is the linchpin of the security of most Shibboleth deployments.
In practice, a SignatureValidation filter and a RequiredValidUntil filter are often used together to securely obtain remote metadata via HTTP. See the FileBackedHTTPMetadataProvider and DynamicHTTPMetadataProvider topics for explicit configuration examples. Other distribution models are discussed in the TrustManagement topic. |
There are four approaches to supplying a trust policy to the SignatureValidation
filter:
<PublicKey>
element<security:TrustEngine>
elementIn the overall sequence of filters, a filter of type |
One of the following two child elements may be configured. Their use conflicts with the
|
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/credentials/signer.pem"/> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <PublicKey> MIIBI..... </PublicKey> </MetadataFilter> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="SignerCredential" xsi:type="security:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer.pem</security:Certificate> </security:Credential> </security:TrustEngine> </MetadataFilter> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="SignerCredential_1" xsi:type="security:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer1.pem</security:Certificate> </security:Credential> <security:Credential id="SignerCredential_2" xsi:type="security:X509ResourceBacked"> <security:Certificate>${idp.home}/credentials/signer2.pem</security:Certificate> </security:Credential> </security:TrustEngine> </MetadataFilter> |
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"> <security:TrustEngine id="VTSignerTrustEngine" xsi:type="security:StaticPKIXSignature"> <security:TrustedName>shib</security:TrustedName> <security:ValidationInfo id="VTPKIXValidationInfo" xsi:type="security:PKIXResourceBacked"> <security:Certificate>${idp.home}/credentials/vtmwca.pem</security:Certificate> </security:ValidationInfo> </security:TrustEngine> </MetadataFilter> |