Embedding Certificates in Metadata

Trust between Shibboleth providers can be achieved by embedding certificates used by the providers directly in their metadata. This has a number of advantages over a PKI-based approach, such as simpler encryption flows, easier revocation, and more flexibility for certificate issuance. Any certificate will work, and this approach can be used, but self-signed certificates are easiest to make if you don't already have one lying around.

To create a keypair and a self-signed certificate, use the following two commands. Complete all the fields as seems appropriate; the only important one is the CN field, which must be equal to the full domain name of the server, such as www.supervillain.edu .

openssl genrsa -out myprovider.key 2048
openssl req -new -x509 -nodes -sha1 -days 3650 -key myprovider.key > myprovider.crt

Cat out the new certificate file's contents. Strip out the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- strings, but leave them in the file itself. Leading and trailing whitespace breaks early Xerces, and was fixed in 2.6.1 and in 2.7. Embedded whitespace (indenting) probably requires xmlsec 1.3, which doesn't use openssl's broken base64 decoder; it's not clear what the Java parser allows. Place the resulting alphanumeric soup in XML like the following:

<KeyDescriptor>
	<ds:KeyInfo>
		<ds:X509Data>
			<ds:X509Certificate>
MIIExzCCA6+gAwIBAgIJAM+MlFr0Sth6MA0GCSqGSIb3DQEBBQUAMIGdMR8wHQYD
VQQDExZTdXBlcnZpbGxhaW46IFRoZSBSb290MQswCQYDVQQGEwJVUzERMA8GA1UE
CBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4GA1UEChMXU3VwZXJ2aWxs
YWluIFVuaXZlcnNpdHkxJzAlBgkqhkiG9w0BCQEWGHBlbmd1aW5Ac3VwZXJ2aWxs
YWluLmVkdTAeFw0wNjA4MTcxOTU5NTNaFw0xMTA4MTYxOTU5NTNaMIGdMR8wHQYD
VQQDExZTdXBlcnZpbGxhaW46IFRoZSBSb290MQswCQYDVQQGEwJVUzERMA8GA1UE
CBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4GA1UEChMXU3VwZXJ2aWxs
YWluIFVuaXZlcnNpdHkxJzAlBgkqhkiG9w0BCQEWGHBlbmd1aW5Ac3VwZXJ2aWxs
YWluLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6uFqas4dK6
A2wTZL0viRQNJrPyFnFBDSZGib/2ijhgzed/vvmZIBM9sFpwahcuR5hvyKUe37/c
/RSZXoNDi/eiNOx4qb0l9UB6bd8qvc4V1PnLE7L+ZYcmwrvTKm4x8qXMgEv1wca2
FPsreHNPdLiTUZ8v0tDTWi3Mgi7y47VTzJaTkcfmO1nL6xAtln5sLdH0PbMM3LAp
T1d3nwI3VdbhqqZ+6+OKEuC8gk5iH4lfrbr6C9bYS6vzIKrotHpZ3N2aIC3NMjJD
PMw/mfCuADfRNlHXgZW+0zyUkwGTMDea8qgsoAMWJGdeTIw8I1I3RhnbgLzdsNQl
b/1ZXx1uJRUCAwEAAaOCAQYwggECMB0GA1UdDgQWBBQe+xSjYTrlfraJARjMxscb
j36jvDCB0gYDVR0jBIHKMIHHgBQe+xSjYTrlfraJARjMxscbj36jvKGBo6SBoDCB
nTEfMB0GA1UEAxMWU3VwZXJ2aWxsYWluOiBUaGUgUm9vdDELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCE5ldyBZb3JrMQ8wDQYDVQQHEwZHb3RoYW0xIDAeBgNVBAoTF1N1
cGVydmlsbGFpbiBVbml2ZXJzaXR5MScwJQYJKoZIhvcNAQkBFhhwZW5ndWluQHN1
cGVydmlsbGFpbi5lZHWCCQDPjJRa9ErYejAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQC4SPBDGYAxfbXd8N5OvG0drM7a5hjXfcCZpiILlPSRpxp79yh7
I5vVWxBxUfolwbei7PTBVy7CE27SUbSICeqWjcDCfjNjiZk6mLS80rm/TdLrHSyM
+Ujlw9MGcBGaLI+sdziDUMtTQDpeAyQTaGVbh1mx5874Hlo1VXqGYNo0RwR+iLfs
x48VuO6GbWVyxtktkE2ypz1KLWiyI056YynydRvuBCBHeRqGUixPlH9CrmeSCP2S
sfbiKnMOGXjIYbvbsTAMdW2iqg6IWa/fgxhvZoAXChM9bkhisJQc0qD0J5TJQwgr
uEyb50RJ7DWmXctSC0b3eymZ2lSXxAWNOsNy
			</ds:X509Certificate>
		</ds:X509Data>
	</ds:KeyInfo>
</KeyDescriptor>

The complete metadata for a two-provider Evil Federation would thus resemble:

<EntitiesDescriptor
	 xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
	 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
	 xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
	 xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd
	 urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd
	 http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
	 Name="https://www.supervillain.edu/evil-federation/policy.html"
	 validUntil="2010-01-01T00:00:00Z">

	<!-- This is the metadata for Evil Federation using embedded certificates. -->

	<!-- The Supervillain IdP -->
	<EntityDescriptor entityID="https://idp.example.org/shibboleth">
		<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
			<Extensions>
				<!-- It's authoritative for supervillain.edu. -->
				<shibmd:Scope>supervillain.edu</shibmd:Scope>
			</Extensions>

			<KeyDescriptor use="signing">
				 <ds:KeyInfo>
					  <ds:X509Data>
						  <ds:X509Certificate>
MIIEzTCCA7WgAwIBAgIJAPBxTwLnvO0aMA0GCSqGSIb3DQEBBQUAMIGfMQswCQYD
VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4G
A1UEChMXU3VwZXJ2aWxsYWluIFVuaXZlcnNpdHkxHTAbBgNVBAMTFGlkcC5zdXBl
cnZpbGxhaW4uZWR1MSswKQYJKoZIhvcNAQkBFhxncmVlbmdvYmxpbkBzdXBlcnZp
bGxhaW4uZWR1MB4XDTA2MDgxNzIxMDUzNVoXDTE2MDgxNDIxMDUzNVowgZ8xCzAJ
BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGR290aGFtMSAw
HgYDVQQKExdTdXBlcnZpbGxhaW4gVW5pdmVyc2l0eTEdMBsGA1UEAxMUaWRwLnN1
cGVydmlsbGFpbi5lZHUxKzApBgkqhkiG9w0BCQEWHGdyZWVuZ29ibGluQHN1cGVy
dmlsbGFpbi5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf18VZ
75icxGtfpH50gZpDST1nNvCB2zhU3EYJtnMFCwQY/oWQhWz34+f/78ahiYfWBb+v
QaaRgf2IVMM38Mrol2sqn79s9dmEJyPqOaupWZmskgR05aogt2oFYtXCvV2QGurI
FvDn9Z/bIjrC+Xp7Mztu/Zx7dEFmdtkgvSBcnjVr7unGcObSxNAMOG//DEIyIXkj
eMuw/EAlqJBCF33hDDuaQIaZsfJsSIG7hiB7AxaP5+q0sRaimMuw/7urbIveNC9V
vNYNZa4XE8DQzTA8Gc7qqdlCnwvuYEZU5SDB/UwF6LSRqm9Z/dH7hW5j9k/Wqx8S
P4XNmW83QgE0hF2DAgMBAAGjggEIMIIBBDAdBgNVHQ4EFgQUnrDyPuiCOWUqq6oQ
x2vgw6DxYmcwgdQGA1UdIwSBzDCByYAUnrDyPuiCOWUqq6oQx2vgw6DxYmehgaWk
gaIwgZ8xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMG
R290aGFtMSAwHgYDVQQKExdTdXBlcnZpbGxhaW4gVW5pdmVyc2l0eTEdMBsGA1UE
AxMUaWRwLnN1cGVydmlsbGFpbi5lZHUxKzApBgkqhkiG9w0BCQEWHGdyZWVuZ29i
bGluQHN1cGVydmlsbGFpbi5lZHWCCQDwcU8C57ztGjAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBBQUAA4IBAQCqrOghCppgxhs4a96r+LgNeUlWc6j6/t0MJA8i3HpB
B3QIvfGS/0UWUwClhx4K5clnNKmLNcps6QvwVxKE/hjzE6B9Vo4+F+0WprPjvoK5
FCYGYLfhCSDRi8GXATVQlQ6kaChOH7PgjAejrBNoRCKzq/sAP+1ZB0TaJaigbXEu
QnFlpBv54Vq+HBsS5i0N9Qd5kyB2FVOfecSzQEqOeNENreoKxlj8vLqQRH0DPObf
A2hidRUUxZktslTpuN+9hTpeqVWVx802QpzDNTeBEn8lf2e4eStQuY8edkh9yE/j
F/xPvs1EdxIeiFvd237Ef9TV2JoxEN2+pOSTtdJ8Exk0
						  </ds:X509Certificate>
					  </ds:X509Data>
				 </ds:KeyInfo>
			</KeyDescriptor>

			<ArtifactResolutionService index="1"
				Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
				Location="http://idp.example.org:8080/shibboleth-idp/Artifact"/>

			<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

			<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
				 Location="https://idp.example.org/shibboleth-idp/SSO"/>

		</IDPSSODescriptor>
		
		<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
			<Extensions>
				<!-- It's authoritative for supervillain.edu. -->
				<shibmd:Scope>supervillain.edu</shibmd:Scope>
			</Extensions>

			<KeyDescriptor use="signing">
				 <ds:KeyInfo>
					  <ds:X509Data>
						  <ds:X509Certificate>
MIIEzTCCA7WgAwIBAgIJAPBxTwLnvO0aMA0GCSqGSIb3DQEBBQUAMIGfMQswCQYD
VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4G
A1UEChMXU3VwZXJ2aWxsYWluIFVuaXZlcnNpdHkxHTAbBgNVBAMTFGlkcC5zdXBl
cnZpbGxhaW4uZWR1MSswKQYJKoZIhvcNAQkBFhxncmVlbmdvYmxpbkBzdXBlcnZp
bGxhaW4uZWR1MB4XDTA2MDgxNzIxMDUzNVoXDTE2MDgxNDIxMDUzNVowgZ8xCzAJ
BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGR290aGFtMSAw
HgYDVQQKExdTdXBlcnZpbGxhaW4gVW5pdmVyc2l0eTEdMBsGA1UEAxMUaWRwLnN1
cGVydmlsbGFpbi5lZHUxKzApBgkqhkiG9w0BCQEWHGdyZWVuZ29ibGluQHN1cGVy
dmlsbGFpbi5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf18VZ
75icxGtfpH50gZpDST1nNvCB2zhU3EYJtnMFCwQY/oWQhWz34+f/78ahiYfWBb+v
QaaRgf2IVMM38Mrol2sqn79s9dmEJyPqOaupWZmskgR05aogt2oFYtXCvV2QGurI
FvDn9Z/bIjrC+Xp7Mztu/Zx7dEFmdtkgvSBcnjVr7unGcObSxNAMOG//DEIyIXkj
eMuw/EAlqJBCF33hDDuaQIaZsfJsSIG7hiB7AxaP5+q0sRaimMuw/7urbIveNC9V
vNYNZa4XE8DQzTA8Gc7qqdlCnwvuYEZU5SDB/UwF6LSRqm9Z/dH7hW5j9k/Wqx8S
P4XNmW83QgE0hF2DAgMBAAGjggEIMIIBBDAdBgNVHQ4EFgQUnrDyPuiCOWUqq6oQ
x2vgw6DxYmcwgdQGA1UdIwSBzDCByYAUnrDyPuiCOWUqq6oQx2vgw6DxYmehgaWk
gaIwgZ8xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMG
R290aGFtMSAwHgYDVQQKExdTdXBlcnZpbGxhaW4gVW5pdmVyc2l0eTEdMBsGA1UE
AxMUaWRwLnN1cGVydmlsbGFpbi5lZHUxKzApBgkqhkiG9w0BCQEWHGdyZWVuZ29i
bGluQHN1cGVydmlsbGFpbi5lZHWCCQDwcU8C57ztGjAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBBQUAA4IBAQCqrOghCppgxhs4a96r+LgNeUlWc6j6/t0MJA8i3HpB
B3QIvfGS/0UWUwClhx4K5clnNKmLNcps6QvwVxKE/hjzE6B9Vo4+F+0WprPjvoK5
FCYGYLfhCSDRi8GXATVQlQ6kaChOH7PgjAejrBNoRCKzq/sAP+1ZB0TaJaigbXEu
QnFlpBv54Vq+HBsS5i0N9Qd5kyB2FVOfecSzQEqOeNENreoKxlj8vLqQRH0DPObf
A2hidRUUxZktslTpuN+9hTpeqVWVx802QpzDNTeBEn8lf2e4eStQuY8edkh9yE/j
F/xPvs1EdxIeiFvd237Ef9TV2JoxEN2+pOSTtdJ8Exk0
						  </ds:X509Certificate>
					  </ds:X509Data>
				 </ds:KeyInfo>
			</KeyDescriptor>
			
			<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
				 Location="http://idp.example.org:8080/shibboleth-idp/AA"/>

			<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
		</AttributeAuthorityDescriptor>

		<!-- This is just information about the entity in human terms. -->
		<Organization>
			 <OrganizationName xml:lang="en">The Exalted University of Supervillains</OrganizationName>
			 <OrganizationDisplayName xml:lang="en">Supervillain University</OrganizationDisplayName>
			 <OrganizationURL xml:lang="en">http://www.supervillain.edu/</OrganizationURL>
		</Organization>
		<ContactPerson contactType="technical">
			 <SurName>Norman Osborn</SurName>
			 <EmailAddress>greengoblin@supervillain.edu</EmailAddress>
		</ContactPerson>

	</EntityDescriptor>

	<!-- The main Supervillain web server -->
	<EntityDescriptor entityID="https://www.supervillain.edu/shibboleth/evil-federation/sp">
	
		<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">

			<KeyDescriptor use="signing">
				 <ds:KeyInfo>
					  <ds:X509Data>
						  <ds:X509Certificate>
MIIEwTCCA6mgAwIBAgIJANXcCaTUM3BiMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4G
A1UEChMXU3VwZXJ2aWxsYWluIFVuaXZlcnNpdHkxHTAbBgNVBAMTFHd3dy5zdXBl
cnZpbGxhaW4uZWR1MScwJQYJKoZIhvcNAQkBFhhtYWduZXRvQHN1cGVydmlsbGFp
bi5lZHUwHhcNMDYwODE3MjEwNTA2WhcNMTYwODE0MjEwNTA2WjCBmzELMAkGA1UE
BhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMQ8wDQYDVQQHEwZHb3RoYW0xIDAeBgNV
BAoTF1N1cGVydmlsbGFpbiBVbml2ZXJzaXR5MR0wGwYDVQQDExR3d3cuc3VwZXJ2
aWxsYWluLmVkdTEnMCUGCSqGSIb3DQEJARYYbWFnbmV0b0BzdXBlcnZpbGxhaW4u
ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwvTuYbPyvUZJITK8
VdnK6RPuYjViMK8N4JW3dmCrty9gCxYihYSB8JM+q5MB0iiVL/MaAyrgvebT470T
ftlUXSi2Y27EfdWlHoOwHCKJ8TE6kP44BedoYwFkOsUDBYu/TPfD5E9NB5dXFPIs
XpL6+SmijGx0au2n1l+vVf78xGA5bjj+mN909GihGvDq2ruElEnbjTWEIMew3Di3
mlWRueXSXvrDZ8WdNW7XzMKx2g6PlLhXz17IBbuuzzCatbEbpjPO1hBXSrrhI+re
3Q5MdgrJoFyswHK1b26/3noDmZTCChvPz8Umjk1VeBDYzd3CtBOqw1x4+eaXAtzO
b0HpxQIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFGBRXrvGwEl6CM6MEJNyGIQlzzPs
MIHQBgNVHSMEgcgwgcWAFGBRXrvGwEl6CM6MEJNyGIQlzzPsoYGhpIGeMIGbMQsw
CQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEg
MB4GA1UEChMXU3VwZXJ2aWxsYWluIFVuaXZlcnNpdHkxHTAbBgNVBAMTFHd3dy5z
dXBlcnZpbGxhaW4uZWR1MScwJQYJKoZIhvcNAQkBFhhtYWduZXRvQHN1cGVydmls
bGFpbi5lZHWCCQDV3Amk1DNwYjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
A4IBAQAWbSn0Bu0pin6elv6qYdraZAzxBqzRsr9DNn0Qw/0M4bbphiSTR8Sn6WXW
VlYs8WCl7dQR5njdf/RolrHpYFhYsE3/M6CMS4bOMSpP3cArf6qanzGUCvUVM17K
1c/hlHZ61FLCbLdw9UO0qoZhfc3iLQs9wq7/Vt8yqqEiK+K74Dg8W6Ex1P6wm99n
w1EP5Q/nzw4HvueBFkLYt2HCly2RFgUN95KK4iq+loMs+nVu+vRZQ1xeKlePYHxB
M2d1ESOWEp9vf0sWe8x9utqO3BhmSJKaf2Hq6kBT1UNoKJ7pxa7iqzjzxe5uqSEO
hGhEPd2UOHQ/FJAWtqWY7y3GyEs/
						  </ds:X509Certificate>
					  </ds:X509Data>
				 </ds:KeyInfo>
			</KeyDescriptor>

			<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

			<AssertionConsumerService index="1" isDefault="true"
				Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
				Location="https://www.supervillain.edu/Shibboleth.sso/SAML/POST"/>
			<AssertionConsumerService index="2"
				Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
				Location="https://www.supervillain.edu/Shibboleth.sso/SAML/Artifact"/>
		</SPSSODescriptor>

		<!-- This is just information about the entity in human terms. -->
		<Organization>
			 <OrganizationName xml:lang="en">The Exalted University of Supervillains</OrganizationName>
			 <OrganizationDisplayName xml:lang="en">Supervillain University</OrganizationDisplayName>
			 <OrganizationURL xml:lang="en">http://www.supervillain.edu/</OrganizationURL>
		</Organization>
		<ContactPerson contactType="technical">
			 <SurName>Erik Magnus Lehnsherr</SurName>
			 <EmailAddress>magneto@supervillain.edu</EmailAddress>
		</ContactPerson>
		
	</EntityDescriptor>

</EntitiesDescriptor>

Browser not supported