SignatureValidationFilter

Namespace: urn:mace:shibboleth:2.0:metadata
Schema: http://shibboleth.net/schema/idp/shibboleth-metadata.xsd

1 Overview
2 Reference
3 Examples

Overview

The SignatureValidation filter verifies that a metadata instance is signed correctly with a trusted key, and is the linchpin of the security of most Shibboleth deployments.

The "Sign and Expire" distribution model

In practice, a SignatureValidation filter and a https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199507322 filter are often used together to securely obtain remote metadata via HTTP. See the https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199506865 and https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199506816 topics for explicit configuration examples. Other distribution models are discussed in the https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/928645130 topic, but in practice none are effective or useful.

There are four approaches to supplying a trust policy to the SignatureValidation filter:

A pointer to a certificate file
A reference to an externally defined TrustEngine bean
An inline <PublicKey> element
An inline <security:TrustEngine> element

Filter order is important!

In the overall sequence of filters, a filter of type SignatureValidation must appear before any filter that alters the metadata instance. Examples of the latter include https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199507147, https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199507218, https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199507246, and https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199507287 .

Reference

Name / Default	Type	Default	Description

Name / Default	Type	Default	Description
requireSignedRoot	Boolean	true	If true, this fails to load metadata with no signature on the root XML element.
alwaysVerifyTrustedSource	Boolean	false	If true, the root signature of the metadata currently being processed will always be verified. If false, then the root signature will be verified unless the metadata source is "trusted", defined as: The backup file of a `FileBackedHTTPMetadataProvider`
certificateFile	File pathname		Path to a certificate file whose key is used to verify the signature. Conflicts with `trustEngineRef` and both allowable child elements.
trustEngineRef	Bean ID of a TrustEngine		Bean ID of a `<security:TrustEngine>` defined somewhere else in the configuration. Conflicts with `certificateFile` and both allowable child elements.
defaultCriteriaRef	Bean ID of CriteriaSet	Internal bean	(ADVANCED, not generally needed) Bean ID of an externally defined CriteriaSet used as input the to the trust engine
signaturePrevalidatorRef	Bean ID of SignaturePrevalidator	SAMLSignatureProfileValidator	(ADVANCED, not generally needed) Bean ID of an externally defined SignaturePrevalidator. Used to perform pre-validation of an XML Signature, for example to validate that the signature conforms to a particular profile of XML Signature.
dynamicTrustedNamesStrategyRef	Bean ID (see desc)	BasicDynamicTrustedNamesStrategy	(ADVANCED, not generally needed) Bean ID of an externally defined Function<XMLObject, Set<String>>. This will be used to extract dynamic trusted names from signed metadata elements.

One of the following two child elements may be configured. Their use conflicts with the certificateFile and trustEngineRef XML attributes.

Name	Description

Name

Description

A PEM-format public key.

You can obtain a public key from a certificate using a command such as:

$ openssl x509 -pubkey -in cert.pem -noout

<security:TrustEngine>

A trust engine plugin that defines how the signature is to be checked

Examples

Externally specified certificate file

<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
	certificateFile="%{idp.home}/credentials/signer.pem"/>

Inline key

<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
  <PublicKey>
    MIIBI.....
  </PublicKey>
</MetadataFilter>

Metadata Provider with inline trust engine

<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
    <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="SignerCredential" xsi:type="security:X509ResourceBacked">
            <security:Certificate>%{idp.home}/credentials/signer.pem</security:Certificate>
        </security:Credential>
    </security:TrustEngine>
</MetadataFilter>

Metadata Provider with inline trust engine with multiple validation credentials

<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
    <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="SignerCredential_1" xsi:type="security:X509ResourceBacked">
            <security:Certificate>%{idp.home}/credentials/signer1.pem</security:Certificate>
        </security:Credential>
        <security:Credential id="SignerCredential_2" xsi:type="security:X509ResourceBacked">
            <security:Certificate>%{idp.home}/credentials/signer2.pem</security:Certificate>
        </security:Credential>
    </security:TrustEngine>
</MetadataFilter>

PKIX signature validation with static trust anchors

<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
    <security:TrustEngine id="VTSignerTrustEngine" xsi:type="security:StaticPKIXSignature">
        <security:TrustedName>shib</security:TrustedName>
        <security:ValidationInfo id="VTPKIXValidationInfo" xsi:type="security:PKIXResourceBacked">
            <security:Certificate>%{idp.home}/credentials/vtmwca.pem</security:Certificate>
        </security:ValidationInfo>
    </security:TrustEngine>
</MetadataFilter>