The Shibboleth IdP V4 software will leave support on September 1, 2024.
SignatureValidationFilter
Namespace: urn:mace:shibboleth:2.0:metadata
Schema: http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
Overview
The SignatureValidation
filter verifies that a metadata instance is signed correctly with a trusted key, and is the linchpin of the security of most Shibboleth deployments.
The "Sign and Expire" distribution model
In practice, a SignatureValidation
filter and a https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631652 filter are often used together to securely obtain remote metadata via HTTP. See the https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631639 and https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631638 topics for explicit configuration examples. Other distribution models are discussed in the topic.
There are four approaches to supplying a trust policy to the SignatureValidation
filter:
A pointer to a certificate file
A reference to an externally defined TrustEngine bean
An inline
<PublicKey>
elementAn inline
<security:TrustEngine>
element
Filter order is important!
In the overall sequence of filters, a filter of type SignatureValidation
must appear before any filter that alters the metadata instance. Examples of the latter include , , , and .
Reference
Examples
Externally specified certificate file
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="${idp.home}/credentials/signer.pem"/>
Inline key
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
<PublicKey>
MIIBI.....
</PublicKey>
</MetadataFilter>
Metadata Provider with inline trust engine
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
<security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="SignerCredential" xsi:type="security:X509ResourceBacked">
<security:Certificate>${idp.home}/credentials/signer.pem</security:Certificate>
</security:Credential>
</security:TrustEngine>
</MetadataFilter>