SignatureValidationFilter
Namespace: urn:mace:shibboleth:2.0:metadata
Schema: http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
Overview
The SignatureValidation
filter verifies that a metadata instance is signed correctly with a trusted key, and is the linchpin of the security of most Shibboleth deployments.
The "Sign and Expire" distribution model
In practice, a SignatureValidation
filter and a https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631652 filter are often used together to securely obtain remote metadata via HTTP. See the https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631639 and https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631638 topics for explicit configuration examples. Other distribution models are discussed in the https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/928645130 topic.
There are four approaches to supplying a trust policy to the SignatureValidation
filter:
A pointer to a certificate file
A reference to an externally defined TrustEngine bean
An inline
<PublicKey>
elementAn inline
<security:TrustEngine>
element
Filter order is important!
In the overall sequence of filters, a filter of type SignatureValidation
must appear before any filter that alters the metadata instance. Examples of the latter include https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631645, https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631646, https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631650, and https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631651 .
Reference
Examples
Externally specified certificate file
1
2
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="${idp.home}/credentials/signer.pem"/>
Inline key
1
2
3
4
5
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
<PublicKey>
MIIBI.....
</PublicKey>
</MetadataFilter>
Metadata Provider with inline trust engine
1
2
3
4
5
6
7
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
<security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="SignerCredential" xsi:type="security:X509ResourceBacked">
<security:Certificate>${idp.home}/credentials/signer.pem</security:Certificate>
</security:Credential>
</security:TrustEngine>
</MetadataFilter>
Metadata Provider with inline trust engine with multiple validation credentials
1
2
3
4
5
6
7
8
9
10
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
<security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="SignerCredential_1" xsi:type="security:X509ResourceBacked">
<security:Certificate>${idp.home}/credentials/signer1.pem</security:Certificate>
</security:Credential>
<security:Credential id="SignerCredential_2" xsi:type="security:X509ResourceBacked">
<security:Certificate>${idp.home}/credentials/signer2.pem</security:Certificate>
</security:Credential>
</security:TrustEngine>
</MetadataFilter>
PKIX signature validation with static trust anchors
1
2
3
4
5
6
7
8
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
<security:TrustEngine id="VTSignerTrustEngine" xsi:type="security:StaticPKIXSignature">
<security:TrustedName>shib</security:TrustedName>
<security:ValidationInfo id="VTPKIXValidationInfo" xsi:type="security:PKIXResourceBacked">
<security:Certificate>${idp.home}/credentials/vtmwca.pem</security:Certificate>
</security:ValidationInfo>
</security:TrustEngine>
</MetadataFilter>