Versions Compared

Old Version 15

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 16

changes.mady.by.user Scott Cantor (osu.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml

InCommon strongly recommends that you refresh your expects participants to refresh metadata daily to ensure that your SAML endpoints have access to the most up-to-date keys and other registered information. Some software implementations (such as Shibboleth) handle metadata with ease, but please read this entire page to understand the requirements and pitfalls associated with metadata consumption.

Participants are strongly encouraged to rely on SAML software that properly handles metadata; failure to do so can have profound effects on the successful use of the federation. In addition to maintaining the security of your own deployment, proper metadata use is critical to ensure that other participants can count on your system behaving correctly when they make changes.

In addition, if If you don't refresh your metadata regularly, it is likely your that a correct software implementation will fail at some point since the XML document carries an expiration date (validUntil) that causes the metadata to expire in three weeks. InCommon strongly recommends that you do not rely on the actual length of this validity interval in any way, and in fact, we reserve the right to shorten the validity interval with little or no notice.

...

Federation metadata is signed for integrity and authenticity. Participants are strongly encouraged to verify the XML signature on the metadata file before use; failure to do so will greatly compromise the security of your SAML deployment.

To bootstrap the trust fabric of the Federation, participants are required to download the following certificate, which contains the public key corresponding to the Federation's private metadata signing key:

...

  1. If the metadata file does not have a validUntil attribute on the root element.
  2. If the validUntil attribute on the root element is expired.
  3. If a validUntil attribute on a child element is expired.

A metadata reload process should check each of the above conditions before accepting the metadata; alternatively if a SAML implementation is known to ignore/reject expired metadata (a basic correctness requirement), it may be sufficient to ensure that a validUntil attribute exists and is not unexpectedly far into the future.

Warning
titleBeware!

Verifying the signature on a SAML metadata file does not verify the presence or value of an expiration date(s). The only way to do that is to parse the XML.

...

If you plan on using the Shibboleth software for the purposes of federation, you can in fact also use Shibboleth to download and verify the signed metadata without having to rely on any other tools. Regardless of your implementation, however, you can always set up a cron job to refresh your metadata, but in that case you will also need a tool additional tools to verify the XML signature at the time of refresh and another tool to prune expired metadata from the aggregate check the validUntil attribute as noted above. Participants are encouraged to share such tools and scripts for the benefit of the community.

Apart from this refresh process, your software implementation needs to be configured to consume the InCommon metadata. Exactly how this is done depends on your implementation of course. Instructions how to configure Shibboleth for metadata consumption are provided elsewhere in this wiki. Also, see the resources linked below for related information.

...