{"type":"doc","content":[{"type":"paragraph","content":[{"text":"In a nutshell, current best practices for the management of SAML metadata include the following specific recommendations:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Use ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631640"}},{"text":" or ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631642"}},{"text":" for local metadata","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Use ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631639"}},{"text":" or ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631638"}},{"text":" for remote metadata","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Use entity attributes to drive automated relying party configuration (this is called a metadata-driven configuration)","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"In addition, consider using one or more ","type":"text"},{"text":"MetadataFilter ","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631643"}}]},{"text":"plugins to secure or optimize your configuration; for example the ","type":"text"},{"text":"SchemaValidationFilter","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631653"}}]},{"text":" to ensure your metadata has no obvious errors in it, or the ","type":"text"},{"text":"EntityRoleFilter","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631646"}}]},{"text":" to decrease the memory use of the loaded metadata.","type":"text"}]},{"type":"paragraph","content":[{"text":"The following sections expand on these best practices from the perspective of an IdP deployer.","type":"text"}]},{"type":"paragraph","content":[{"text":"Contents","type":"text","marks":[{"type":"strong"}]}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{},"macroMetadata":{"macroId":{"value":"ae3e534a-3d15-46a1-adb6-26a38b434bb5"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"0344c328-69f6-49f2-a69b-237d803ad941"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Local Metadata","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"paragraph","content":[{"text":"From an IdP perspective, the term local metadata refers to SP metadata under direct control of the IdP operator. More often than not, local metadata is sourced via email or downloaded from a partner web site by clicking a link on a protected web page. Typically local metadata does not expire. Metadata with an expiration date must be refreshed, whereas local metadata is a static resource by definition.","type":"text"}]},{"type":"paragraph","content":[{"text":"There are two basic approaches to local metadata management:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Load metadata in a background thread (using ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631640"}},{"text":" )","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Load metadata just-in-time as needed (using ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631642"}},{"text":" )","type":"text"}]}]}]},{"type":"panel","attrs":{"panelType":"success"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Store the primary source files off-IdP","type":"text"}]},{"type":"paragraph","content":[{"text":"Although metadata is retrieved from the local IdP filesystem, the primary source files need not be stored on the IdP itself. The files can be stored elsewhere and then pushed to the IdP as needed. Command-line tools such as ","type":"text"},{"text":"rcp","type":"text","marks":[{"type":"code"}]},{"text":" or ","type":"text"},{"text":"rsync","type":"text","marks":[{"type":"code"}]},{"text":" work well for this purpose.","type":"text"}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"FilesystemMetadataProvider","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"paragraph","content":[{"text":"Perhaps the simplest way to manage local metadata is to configure one or more metadata providers of type ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631640"}},{"text":" . As its name implies, a ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631640"}},{"text":" loads (and periodically reloads) metadata from the file system. It does this in a background thread, so that the load operation is invisible to the end user. A simple example follows:","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"include","parameters":{"macroParams":{"":{"value":"FilesystemMetadataProviderExample"}},"macroMetadata":{"macroId":{"value":"514a0266-bce9-4b96-8777-2f53ee9f24b6"},"schemaVersion":{"value":"1"},"title":"Include Page"}},"localId":"2271b536-d578-4145-9007-e755a8ec1501"}},{"type":"paragraph","content":[{"text":"See the ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631640"}},{"text":" topic for more information.","type":"text"}]},{"type":"paragraph","content":[{"text":"For IdP deployments with few SP partners, using ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631640"}},{"text":" for local metadata is simple and straightforward. However, since each metadata provider must be configured separately, eventually this approach becomes unmanageable. A more scalable approach leverages a single ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631642"}},{"text":" as discussed in the next section.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"LocalDynamicMetadataProvider","type":"text"}]},{"type":"paragraph","content":[{"text":"Using a ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631642"}},{"text":" , local metadata is made available to the IdP by simply dropping an entity descriptor into a system directory called the ","type":"text"},{"text":"sourceDirectory","type":"text","marks":[{"type":"code"}]},{"text":". Unlike ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631640"}},{"text":" , no system restart is required when a file is added to (or removed from) the ","type":"text"},{"text":"sourceDirectory","type":"text","marks":[{"type":"code"}]},{"text":". A ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631642"}},{"text":" dynamically resolves metadata from the ","type":"text"},{"text":"sourceDirectory","type":"text","marks":[{"type":"code"}]},{"text":" based on the ","type":"text"},{"text":"entityID","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"There is, however, some administrative overhead associated with a ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631642"}},{"text":" . First, the files in the ","type":"text"},{"text":"sourceDirectory","type":"text","marks":[{"type":"code"}]},{"text":" must be kept current. In particular, existing files must be updated or removed. Second, and more importantly, the files in the ","type":"text"},{"text":"sourceDirectory","type":"text","marks":[{"type":"code"}]},{"text":" must be suitably named so that the provider can easily resolve entity metadata as needed. These file operations require tools, either command-line tools or a GUI, neither of which is included with the Shibboleth IdP software.","type":"text"}]},{"type":"paragraph","content":[{"text":"See the ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631642"}},{"text":" topic for more information.","type":"text"}]},{"type":"panel","attrs":{"panelType":"success"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Commit the metadata files to a source repository","type":"text"}]},{"type":"paragraph","content":[{"text":"Whether you use ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631640"}},{"text":" or ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631642"}},{"text":" , commit the metadata source files to a source repository (such as GitHub). This maintains a history of local metadata and encourages collaborative efforts among multiple system administrators.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Remote Metadata","type":"text"}]},{"type":"paragraph","content":[{"text":"Remote metadata is loaded from a remote source via an HTTP metadata provider. There are two basic approaches:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Out-of-band ","type":"text"},{"text":"metadata refresh","type":"text","marks":[{"type":"em"}]},{"text":" (using ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631639"}},{"text":")","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In-band ","type":"text"},{"text":"metadata query","type":"text","marks":[{"type":"em"}]},{"text":" (using ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631638"}},{"text":" )","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Metadata refresh and metadata query are commonly used to consume metadata published by a trusted third party called a Federation. There are more than 50 recognized Federations in the R&E sector worldwide. Consult the ","type":"text"},{"text":"eduGAIN technical site","type":"text","marks":[{"type":"link","attrs":{"href":"https://technical.edugain.org/"}}]},{"text":" for an up-to-date list.","type":"text"}]},{"type":"panel","attrs":{"panelType":"success"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Join a Federation","type":"text"}]},{"type":"paragraph","content":[{"text":"Join a Federation that fully participates in eduGAIN. When you register your IdP metadata, it is distributed worldwide via the eduGAIN network, which optimizes interoperability.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"SAML metadata contains the public keys of federation partners, and so the distribution of metadata constitutes a public key infrastructure (PKI) for SAML deployments.","type":"text"}]},{"type":"panel","attrs":{"panelType":"error"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Trust your metadata sources!","type":"text"}]},{"type":"paragraph","content":[{"text":"Remote metadata must be trusted. Do not blindly load remote metadata from untrusted sources. See the ","type":"text"},{"text":"TrustManagement","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/CONCEPT/pages/928645130"}}]},{"text":" topic for more information, especially the section on Metadata Distribution and Verification.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"To obtain the latest set of trusted public keys, metadata must be kept current. To encourage reloading, remote metadata has an expiration date (","type":"text"},{"text":"@validUntil","type":"text","marks":[{"type":"code"}]},{"text":") and/or a cache directive (","type":"text"},{"text":"@cacheDuration","type":"text","marks":[{"type":"code"}]},{"text":"). The latter is merely a hint but metadata expiration is absolute, so monitor your remote sources carefully.","type":"text"}]},{"type":"panel","attrs":{"panelType":"error"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Ensure remote metadata does not expire!","type":"text"}]},{"type":"paragraph","content":[{"text":"By default, metadata that exceeds its expiration date will not be loaded by the Shibboleth metadata resolver.","type":"text"}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"FileBackedHTTPMetadataProvider","type":"text"}]},{"type":"paragraph","content":[{"text":"A ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631639"}},{"text":" will load (and periodically reload) a metadata file from an HTTP server in the background. The metadata file may contain a single entity (","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":") or multiple entities (","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":"). The latter is more common.","type":"text"}]},{"type":"paragraph","content":[{"text":"A typical use case involves a signed metadata aggregate (","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":") published by a Federation. In this section, we show how to use a metadata provider of type ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631639"}},{"text":" to load the aggregate.","type":"text"}]},{"type":"panel","attrs":{"panelType":"success"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Consult your federation operator","type":"text"}]},{"type":"paragraph","content":[{"text":"Ask your federation operator how best to configure a metadata provider of type ","type":"text"},{"text":"FileBackedHTTPMetadataProvider","type":"text","marks":[{"type":"code"}]},{"text":". First determine the HTTP location of the metadata file, Then ask about the recommended values of the ","type":"text"},{"text":"minRefreshDelay","type":"text","marks":[{"type":"code"}]},{"text":" attribute (default: ","type":"text"},{"text":"PT30S","type":"text","marks":[{"type":"code"}]},{"text":") and the ","type":"text"},{"text":"maxRefreshDelay","type":"text","marks":[{"type":"code"}]},{"text":" attribute (default: ","type":"text"},{"text":"PT4H","type":"text","marks":[{"type":"code"}]},{"text":").","type":"text"}]}]},{"type":"paragraph","content":[{"text":"For illustration, let's assume that: (1) the top-level ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element of the XML document is signed; (2) the top-level ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element of the XML document is decorated with a ","type":"text"},{"text":"validUntil","type":"text","marks":[{"type":"code"}]},{"text":" attribute; (3) the validity interval is two weeks (","type":"text"},{"text":"P14D","type":"text","marks":[{"type":"code"}]},{"text":") in duration; and (4) the server supports HTTP conditional GET. The sample metadata provider shown below retrieves the metadata, verifies the signature, and checks the expiration date before loading the metadata into IdP memory:","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"include","parameters":{"macroParams":{"":{"value":"RemoteMetadataAggregateExample"}},"macroMetadata":{"macroId":{"value":"e8c619b6-1488-4432-a06f-84a98afe47ae"},"schemaVersion":{"value":"1"},"title":"Include Page"}},"localId":"c0c15090-ce1a-438b-b478-f6c898d8886a"}},{"type":"paragraph","content":[{"text":"See the ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631639"}},{"text":" topic for more information.","type":"text"}]},{"type":"paragraph","content":[{"text":"Metadata aggregates may be arbitrarily large. Although the ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631639"}},{"text":" loads metadata in the background, parsed metadata objects are stored in memory for efficiency. Therefore sufficient memory must be available to accommodate the entire aggregate. Obviously, a large aggregate will have significant memory requirements. A more efficient approach leverages a ","type":"text"},{"text":"DynamicHTTPMetadataProvider","type":"text","marks":[{"type":"code"}]},{"text":" as discussed in the next section.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"DynamicHTTPMetadataProvider","type":"text"}]},{"type":"paragraph","content":[{"text":"In contrast to ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631639"}},{"text":" , a ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631638"}},{"text":" fetches entity metadata just-in-time from a remote HTTP server. Since the provider loads only the metadata that is actually needed, the space requirements of a ","type":"text"},{"text":"DynamicHTTPMetadataProvider","type":"text","marks":[{"type":"code"}]},{"text":" are optimal. OTOH, since dynamic metadata query occurs in-band, the SAML protocol exchange is blocked until metadata is successfully retrieved from the query server and processed by the IdP.","type":"text"}]},{"type":"paragraph","content":[{"text":"An instance of ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631638"}},{"text":" essentially maps an ","type":"text"},{"text":"entityID","type":"text","marks":[{"type":"code"}]},{"text":" to a request URL based on a profile such as the ","type":"text"},{"text":"SAML Profile for the Metadata Query Protocol","type":"text","marks":[{"type":"link","attrs":{"href":"https://datatracker.ietf.org/doc/draft-young-md-query-saml/"}}]},{"text":", which itself is based on the more general ","type":"text"},{"text":"Metadata Query Protocol","type":"text","marks":[{"type":"link","attrs":{"href":"https://datatracker.ietf.org/doc/draft-young-md-query/"}}]},{"text":" specification. When queried, the server returns entity metadata (","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":") for the ","type":"text"},{"text":"entityID","type":"text","marks":[{"type":"code"}]},{"text":" encoded in the request URL.","type":"text"}]},{"type":"panel","attrs":{"panelType":"success"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Consult your federation operator","type":"text"}]},{"type":"paragraph","content":[{"text":"Ask your federation operator how best to configure a metadata provider of type ","type":"text"},{"text":"DynamicHTTPMetadataProvider","type":"text","marks":[{"type":"code"}]},{"text":". First determine the base URL of the MDQ server, Then ask about the recommended values of the ","type":"text"},{"text":"minCacheDuration","type":"text","marks":[{"type":"code"}]},{"text":" attribute (default: ","type":"text"},{"text":"PT10M","type":"text","marks":[{"type":"code"}]},{"text":") and the ","type":"text"},{"text":"maxCacheDuration","type":"text","marks":[{"type":"code"}]},{"text":" attribute (default: ","type":"text"},{"text":"PT8H","type":"text","marks":[{"type":"code"}]},{"text":"). Finally, ask how best to configure the provider to mitigate the risk of an MDQ server that is unreachable or non-responsive.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"For illustration, let's assume that: (1) the top-level ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element of the XML document is signed; (2) the top-level ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element of the XML document is decorated with a ","type":"text"},{"text":"validUntil","type":"text","marks":[{"type":"code"}]},{"text":" attribute; (3) the validity interval is two weeks (","type":"text"},{"text":"P14D","type":"text","marks":[{"type":"code"}]},{"text":") in duration; and (4) the server conforms to the Metadata Query Protocol specification. The sample metadata provider shown below retrieves the metadata, verifies the signature, and checks the expiration date before loading the metadata into IdP memory:","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"include","parameters":{"macroParams":{"":{"value":"MetadataQueryProtocolExample"}},"macroMetadata":{"macroId":{"value":"3f608d89-a5a0-467c-ac31-0d24d0feec28"},"schemaVersion":{"value":"1"},"title":"Include Page"}},"localId":"1db811e3-fbad-443c-b2bf-1e9d778cb6ee"}},{"type":"paragraph","content":[{"text":"See the ","type":"text"},{"text":"DynamicHTTPMetadataProvider","type":"text","marks":[{"type":"code"},{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631638"}}]},{"text":" topic for more information.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Metadata-Driven Configuration","type":"text"}]},{"type":"paragraph","content":[{"text":"The goal of ","type":"text"},{"text":"metadata-driven configuration is the ability to integrate with a new partner on the basis of metadata alone","type":"text","marks":[{"type":"em"}]},{"text":", preferably without touching the IdP configuration files. The first step towards achieving a 100% metadata-driven configuration is to configure a ","type":"text"},{"text":"LocalDynamicMetadataProvider","type":"text","marks":[{"type":"code"}]},{"text":" for local metadata. This is a one-time configuration. Thereafter, entity metadata is added to (or removed from) the ","type":"text"},{"text":"sourceDirectory","type":"text","marks":[{"type":"code"}]},{"text":" as described above. No additional configuration for local metadata is necessary.","type":"text"}]},{"type":"paragraph","content":[{"text":"The next step is to use entity attributes to drive special relying party configurations. The use of entity attributes is the hallmark of a metadata-driven configuration.","type":"text"}]},{"type":"paragraph","content":[{"text":"The following table refers to some of the more common entity attributes. For more information, search the wiki on the ","type":"text"},{"text":"@Name","type":"text","marks":[{"type":"code"}]},{"text":" suffix shown in the table (which is also the corresponding Spring Java bean property name).","type":"text"}]},{"type":"table","attrs":{"layout":"full-width","localId":"ded2c471-d86d-4a17-ae8e-30f15935aab3"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"@Name suffix","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[148.0]},"content":[{"type":"paragraph","content":[{"text":"@xsi:type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[1070.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"assertionAudiences","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[148.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1070.0]},"content":[{"type":"paragraph","content":[{"text":"One or more ","type":"text"},{"text":"Audience","type":"text","marks":[{"type":"code"}]},{"text":" values to add to the assertion (bug workaround)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"defaultAuthenticationMethods","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[148.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1070.0]},"content":[{"type":"paragraph","content":[{"text":"If the relying party does not ask for a particular ","type":"text"},{"text":"RequestedAuthnContext","type":"text","marks":[{"type":"code"}]},{"text":", attempt these login flow(s) in the order listed","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"disallowedFeatures","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[148.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1070.0]},"content":[{"type":"paragraph","content":[{"text":"A profile-specific bitmask of features to disallow","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"encryptAssertions","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[148.0]},"content":[{"type":"paragraph","content":[{"text":"xsd:boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1070.0]},"content":[{"type":"paragraph","content":[{"text":"If set to false, the ","type":"text"},{"text":"Assertion","type":"text","marks":[{"type":"code"}]},{"text":" is not encrypted","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"encryptNameIDs ","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[148.0]},"content":[{"type":"paragraph","content":[{"text":"xsd:boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1070.0]},"content":[{"type":"paragraph","content":[{"text":"If set to false, the ","type":"text"},{"text":"NameID","type":"text","marks":[{"type":"code"}]},{"text":" is not encrypted","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"includeConditionsNotBefore","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[148.0]},"content":[{"type":"paragraph","content":[{"text":"xsd:boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1070.0]},"content":[{"type":"paragraph","content":[{"text":"If set to false, omit the ","type":"text"},{"text":"NotBefore","type":"text","marks":[{"type":"code"}]},{"text":" attribute on the assertion (bug workaround)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"nameIDFormatPrecedence","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[148.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1070.0]},"content":[{"type":"paragraph","content":[{"text":"Override any ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" elements in metadata","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"postAuthenticationFlows","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[148.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1070.0]},"content":[{"type":"paragraph","content":[{"text":"Enable post-authn flows such as attribute consent and authorization checking","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"activationCondition","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[148.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1070.0]},"content":[{"type":"paragraph","content":[{"text":"Enable profiles that are disabled by default (such as SAML1 SSO)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"signAssertions","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[148.0]},"content":[{"type":"paragraph","content":[{"text":"xsd:boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1070.0]},"content":[{"type":"paragraph","content":[{"text":"If true, sign assertions (often used in conjunction with ","type":"text"},{"text":"signResponses","type":"text","marks":[{"type":"code"}]},{"text":")","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"signResponses","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[148.0]},"content":[{"type":"paragraph","content":[{"text":"xsd:boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1070.0]},"content":[{"type":"paragraph","content":[{"text":"If false, do not sign responses (often used in conjunction with ","type":"text"},{"text":"signAssertions","type":"text","marks":[{"type":"code"}]},{"text":")","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"securityConfiguration","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[148.0]},"content":[{"type":"paragraph"}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[1070.0]},"content":[{"type":"paragraph","content":[{"text":"Configure a specific signing algorithm (e.g., enable SHA-1 on a per-RP basis)","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"The following examples briefly illustrate the technique. See the ","type":"text"},{"text":"MetadataDrivenConfiguration","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP4/pages/1265631679"}}]},{"text":" topic for numerous additional examples.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Entity Attributes and Local Metadata","type":"text"}]},{"type":"paragraph","content":[{"text":"Suppose you want to integrate with an SP that does not support the SHA-2 family of digest methods typically used by default with XML signature. To enable SHA-1 for that particular SP, add this entity attribute to its metadata before dropping it into the ","type":"text"},{"text":"sourceDirectory","type":"text","marks":[{"type":"code"}]},{"text":":","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Add an entity attribute to local metadata","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n shibboleth.SecurityConfiguration.SHA1\n \n \n","type":"text"}]},{"type":"paragraph","content":[{"text":"Adding entity attributes to local metadata is straightforward since the IdP operator has complete control over the metadata. The next section shows how to add an entity attribute to remote metadata on-the-fly.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Entity Attributes and Remote Metadata","type":"text"}]},{"type":"paragraph","content":[{"text":"The following technique may be applied to any HTTP metadata provider (either a ","type":"text"},{"text":"DynamicHTTPMetadataProvider","type":"text","marks":[{"type":"code"}]},{"text":" or a ","type":"text"},{"text":"FileBackedHTTPMetadataProvider","type":"text","marks":[{"type":"code"}]},{"text":").","type":"text"}]},{"type":"paragraph","content":[{"text":"Suppose SP metadata is published in a remote metadata source (such as Federation metadata). It may turn out that the SP does not fully support XML encryption despite the fact that its published metadata includes an encryption certificate. To disable encryption for that particular SP, add the following child element to the relevant HTTP metadata provider:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Add an entity attribute to remote metadata","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n false\n \n https://sp.example1.org\n https://sp.example2.org\n https://sp.example3.org\n","type":"text"}]},{"type":"paragraph","content":[{"text":"The content of the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element is the ","type":"text"},{"text":"entityID","type":"text","marks":[{"type":"code"}]},{"text":" of the SP in question. Additional ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" elements may be specified, one for each SP that does not fully support XML encryption, as illustrated in the above example.","type":"text"}]}],"version":1}

Browser not supported