The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.
SPRelyingConfig
The basic unit for defining the other half of exchanges with the SP is the relying party. A relying party can be comprised of an entire federation, a single enterprise, or even one application, and is treated the same way by the service provider. Any specifications made regarding a relying party will be applied for all transactions to which it applies on a closest-match basis. This allows for more specific definitions for individual relying parties within a broader relying party, e.g. one IdP in a federation.
The RelyingParty
element is used to customize the set of credentials used for one or more relying parties that this SP must recognize. This may include any federations the SP is a member of, any IdP's that have established bilateral agreements with the SP, or any other trust structure that SP must be aware of.
|
One or more |
name
: Identifies the origin site or group of sites to which the credentials specified in the element apply. This is used to match the providerId sent within attribute assertions from origin sites against a set of "groups" based on metadata.TLS
: Specifies a set of signing credentials to be used in TLS mutual authentication with IdPs for attribute query requests.Signing
: Specifies a set of signing credentials to be used for signing authentication and attribute query assertions.
Federations
Federations are collections of IdPs and SPs that agree to exchange information according to a set of rules with a list of acceptible root certificate authorities, often utilizing a common set of attributes. Membership in a federation does not limit bi-lateral agreements with other sites inside or outside the federation, although the political and mechanical framework of the federation can make these interactions easier.
Shibboleth supports the use of federations in order to simplify trust interactions and policy in support of these exchanges. It is not necessary to be part of a Federation to utilize Shibboleth, nor is a federation necessarily confined to supporting only Shibboleth. A federation from the point of view of a service provider is just a construct that behaves in many ways like any other relying party.
Most federations will distribute a sites.xml
file to facilitate trust interactions which must be pointed to by shibboleth.xml
. This file identifies certificates and root CAs that are considered authoritative for that federation, and identify service locations, contact and error handling information, URN's, and certificate naming for individual sites in that federation. In addition, for Shibboleth 1.2 or earlier, there may be a ca-bundle.crt
naming signing authorities for SSL server certificates that must be referenced by a SSLCACertificateFile
element in Apache's configuration.
Membership and participation in multiple federations can be accomplished in most cases by simply pointing to other metadata files with additional FederationProvider
elements.
MetadataProvider
This configuration element supplies metadata to the SP to identify relying parties in transactions. It may appear as many times as necessary.
|
This element is contained by the main |
siterefresh
Shibboleth provides a simple tool called siterefresh
in the /opt/shibboleth/bin
folder of the distribution to maintain metadata files referenced by shibboleth.xml
. It will return 0 only on success and a negative number on failure and log errors to stderr
. If the data in the new metadata file is unusable or schema invalid, or the signature is invalid, the existing copy is kept and not overwritten. The SP stats all metadata files each time the data is used, allowing it to detect and utilize updates in real-time during system operation.
siterefresh
takes the following command-line parameters:
|
Specifies the |
|
Specifies the local file to which to write the new metadata. |
|
Explicitly disables the requirement for the file to be signed and allows the certificate parameter to be ommitted. If the file is signed, the signature will be verified using whatever key is supplied inside it, and an invalid signature will still result in an error, but if the file is unsigned or has a valid signature, only a warning will be logged, and the result will be success. |
|
Specifies the location of a certificate stored in |
|
Optionally defines a base path for schemas to use when validating the file. Defaults to a location based on the installation path on Unix, or |
|
Optionally defines the XML namespace of the root element expected in the new file. Normally unused, provided to support alternative metadata formats that may be backported to older releases. |
|
Optionally defines the name of the root element expected in the new file. Normally unused, provided to support alternative metadata formats that may be backported to older releases. |
If a zero is returned, the command will copy the retrieved file to the output location. Otherwise one of the following error values will be returned:
-100 |
an invalid combination of parameters was specified |
-10 |
the OpenSAML library failed to initialize |
-1 |
the file's XML digital signature was invalid |
-2 |
a SAML exception was trapped |
-3 |
an XML library exception was trapped |
-4 |
a general XML security library exception was trapped |
-5 |
an XML security library crypto exception was trapped |
-6 |
an unknown exception was trapped |
A complete command issued to siterefresh
might take the form:
/opt/shibboleth/bin/siterefresh --out IQ-sites.xml --cert inqueue.pem \ --url http://wayf.internet2.edu/InQueue/IQ-sites.xml
It is recommended that a similar command be added to a crontab
to keep the metadata files refreshed. Frequent updates will improve the security of an installation by providing immediate notification in the case a federation member becomes compromised.