...
| Table of Contents | ||
|---|---|---|
|
The following examples fetch the main InCommon production metadata aggregate. See the Metadata Aggregates wiki page for other options.
Before you can verify the XML signature on a metadata aggregate, you need an authentic copy of the InCommon Metadata Signing Certificate. Do this first, before configuring Shibboleth for metadata refresh.
Configure the Shibboleth IdP
The examples in this section fetch the main InCommon production metadata aggregate. See the Metadata Aggregates wiki page for other options.
| Warning | ||
|---|---|---|
| ||
The Shibboleth IdP is known to be sensitive to large metadata aggregates. To protect against failed metadata processes, InCommon recommends that deployers allocate at least 1500MB of heap space in the JVM. Do this for all your Shibboleth IdP deployments, in both test and production, for both V3 and V2. |
...
Configure the Shibboleth SP
The examples in this section fetch the IdP-only InCommon production metadata aggregate. See the Metadata Aggregates wiki page for other options.
Basic Shibboleth SP Configuration
...
| Code Block | ||
|---|---|---|
| ||
<!-- The following MetadataProvider attempts to refresh the mainInCommon InCommonIdP-only metadata aggregate every hour. --> <MetadataProvider type="XML" url="http://md.incommon.org/InCommon/InCommon-metadata-idp-only.xml" backingFilePath="InCommon-metadata-idp-only.xml" maxRefreshDelay="3600"> <!-- To bootstrap the trust fabric of the federation, each relying party obtains and configures an authentic copy of the federation operator’s Metadata Signing Certificate (https://spaces.at.internet2.edu/x/moHFAg). Fetch the InCommon Metadata Signing Certificate and check its integrity: $ /usr/bin/curl -s https://ds.incommon.org/certs/inc-md-cert.pem \ | /usr/bin/tee inc-md-cert.pem \ | /usr/bin/openssl x509 -sha1 -fingerprint -noout SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD Verify the signature on the root element of the metadata aggregate (i.e., the EntitiesDescriptor element) using the trusted Metadata Signing Certificate. A large metadata file can cause a significant increase in startup time at the SP. This is due to the time it takes to verify the signature on the metadata, which is known to increase exponentially as the size of the metadata file increases. To disable signature verification at startup time only, add verifyBackup="false" to the MetadataFilter element below. --> <MetadataFilter type="Signature" certificate="inc-md-cert.pem"/> <!-- Require a validUntil XML attribute on the EntitiesDescriptor element and make sure its value is no more than 14 days into the future --> <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/> <!-- Consume all IdP metadata in the aggregate --> <MetadataFilter type="EntityRoleWhiteList"> <RetainedRole>md:IDPSSODescriptor</RetainedRole> <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole> </MetadataFilter> </MetadataProvider> |
...
| Code Block | ||
|---|---|---|
| ||
<!-- The following MetadataProvider attempts to refresh the mainInCommon InCommonIdP-only metadata aggregate every hour. The discovery interface relies primarily on mdui:DisplayName. To fall back on md:OrganizationDisplayName if mdui:DisplayName is missing from IdP metadata, add legacyOrgNames="true" to the MetadataProvider element as shown below. --> <MetadataProvider type="XML" url="http://md.incommon.org/InCommon/InCommon-metadata-idp-only.xml" backingFilePath="InCommon-metadata-idp-only.xml" maxRefreshDelay="3600" legacyOrgNames="true"> <!-- To bootstrap the trust fabric of the federation, each relying party obtains and configures an authentic copy of the federation operator’s Metadata Signing Certificate (https://spaces.at.internet2.edu/x/moHFAg). Fetch the InCommon Metadata Signing Certificate and check its integrity: $ /usr/bin/curl -s https://ds.incommon.org/certs/inc-md-cert.pem \ | /usr/bin/tee inc-md-cert.pem \ | /usr/bin/openssl x509 -sha1 -fingerprint -noout SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD Verify the signature on the root element of the metadata aggregate (i.e., the EntitiesDescriptor element) using the trusted Metadata Signing Certificate. A large metadata file can cause a significant increase in startup time at the SP. This is due to the time it takes to verify the signature on the metadata, which is known to increase exponentially as the size of the metadata file increases. To disable signature verification at startup time only, add verifyBackup="false" to the MetadataFilter element below. --> <MetadataFilter type="Signature" certificate="inc-md-cert.pem"/> <!-- Require a validUntil XML attribute on the EntitiesDescriptor element and make sure its value is no more than 14 days into the future --> <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/> <!-- Consume all IdP metadata in the aggregate --> <MetadataFilter type="EntityRoleWhiteList"> <RetainedRole>md:IDPSSODescriptor</RetainedRole> <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole> </MetadataFilter> <!-- Hide all IdPs with the hide-from-discovery entity attribute. This filter has no effect if your app has no discovery interface. Note: Hiding an IdP from the discovery interface does NOT prevent the SP from accepting an assertion from the IdP. --> <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true" attributeName="http://macedir.org/entity-category" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="http://refeds.org/category/hide-from-discovery"/> </MetadataProvider> |
...