...
- Choose one of three Metadata Aggregates
- Download Obtain an authentic copy of the Metadata Signing Certificate
- Install and configure recommended Metadata Client Software:
- Refresh metadata at least daily (but more often if possible)
- Validate the expiration date on downloaded metadata
- Verify the XML signature on downloaded metadata
- Adjust your outbound firewall rules (if necessary)
...
Deployments are strongly encouraged to refresh metadata at least daily. If your metadata client supports HTTP Conditional GET, configure the client to attempt a refresh operation metadata every hour. This strategy provides the best protection in the event of a key compromise.
...
- If the metadata file does not have a
validUntil
XML attribute on the root element. - If the
validUntil
attribute date on the root element is expired. - If the
validUntil
attribute date on the root element is too far into the future.
A metadata reload refresh process should check each of the above conditions before accepting the metadata; alternatively . Alternatively, if your SAML implementation is known to ignore/reject expired metadata (a basic correctness requirement), it may be sufficient to ensure that a validUntil
attribute exists and its date value is not unexpectedly far into the future.
Warning | ||
---|---|---|
| ||
Verifying the signature on a SAML metadata file does not verify validate the presence or value of an expiration date. The only way to verify validate the expiration date is to parse the XML. |
...
The InCommon Federation is based on the Explicit Key Trust Model, one of several possible metadata trust models. To bootstrap the trust fabric of the Federation, participants download and configure an authentic copy of the Metadata Signing Certificate into their metadata refresh process. The certificate must be obtained securely since all subsequent operations depend on it.
Once the certificate file is locally installed, you can use it to verify the signature on the metadata file. For example, you could use the XmlSecTool (or some similar 3rd-party tool) to verify the signature:
Code Block | ||
---|---|---|
| ||
$ MD_LOCATION=http://md.incommon.org/InCommon/InCommon-metadata.xml $ MD_PATH=/path/totmp/InCommon-metadata.xml $ /usr/bin/curl --silent http://md.incommon.org/InCommon/InCommon-metadata.xml$MD_LOCATION > $MD_PATH $ ./xmlsectool.sh --verifySignature --signatureRequired \ --certificate $CERT$MD_CERT_PATH --inFile $MD_PATH INFO XmlSecTool - Reading XML document from file '/tmp/InCommon-metadata.xml' INFO XmlSecTool - XML document parsed and is well-formed. INFO XmlSecTool - XML document signature verified. |
You may also want to schema validate the metadata:
Code Block | ||
---|---|---|
| ||
$ ./xmlsectool.sh --validateSchema \ --schemaDirectory $SCHEMA_DIR --inFile $MD_PATH INFO XmlSecTool - Reading XML document from file '/tmp/InCommon-metadata.xml' INFO XmlSecTool - XML document parsed and is well-formed. INFO XmlSecTool - XML document is schema valid |
For convenience, we provide a set of (suitably modified) schema files that permit offline schema validation.
...