Versions Compared

Old Version 42

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 43

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The InCommon Federation metadata is published at the following location:

http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xmlThis page introduces some important policy considerations associated with InCommon metadata. Other pages discuss the availability of multiple metadata aggregates and provide guidance with respect to metadata configuration, including client configuration and the configuration of outbound firewalls.

Policy

InCommon expects participants to refresh metadata daily to ensure that SAML endpoints have access to the most up-to-date keys and other registered information. Some software implementations (such as Shibboleth) handle metadata easily, but regardless of your software, please read this entire page to understand the requirements and pitfalls associated with metadata consumption.

...

In addition, if you don't refresh your metadata regularly, it is likely that a software implementation will fail at some point since the XML document carries an expiration date (validUntil) that causes the metadata to expire in two weeks. InCommon strongly recommends that you do not rely on the actual length of this validity interval in any way, and in fact, we reserve the right to shorten the validity interval with little or no notice.

Metadata Refresh

The mechanics of metadata refresh:

  1. Choose the right metadata aggregate for your particular deployment
  2. Deploy an automated metadata refresh process
  3. Configure your metadata process:
    1. Configure your metadata client
    2. Configure your outbound firewall rules (if necessary)
  4. Verify the XML signature on downloaded metadata
  5. Validate the expiration date on downloaded metadata

Signature Verification

Federation metadata is signed for integrity and authenticity. Participants are strongly encouraged to verify the XML signature on the metadata file before use; failure to do so will seriously compromise the security of your SAML deployment.

...

Warning
titleVerify the expiration date independently!

Verifying the signature on a SAML metadata file does not verify the presence or value of an expiration date. The only way to verify the expiration date is to parse the XML.

Configuration

Firewall Configuration

Depending on your environment, you may have to poke a hole in an outbound firewall to allow your metadata client to reach the metadata server. In that case, you will actually want to poke two holes in that firewall since there are two metadata servers as described below.

Hostname wayf.incommonfederation.org resolves to one of two identical servers, either in Michigan (207.75.165.125) or Indiana (140.182.44.53). The actual server used at any given point in time is unspecified and left to the discretion of InCommon Operations. If one of the servers goes down or requires maintenance, the other can be brought up within minutes, with minimal disruption of services.

...

.

For More Information