Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Choose the right metadata aggregate for your particular deployment
  2. Deploy and configure an automated metadata refresh process:
    1. Configure your metadata client
    2. Verify the XML signature on downloaded metadata (see below)
    3. Validate the expiration date on downloaded metadata (see below)

...

    1. Adjust your outbound firewall rules

...

...

Don't forget to adjust your outbound firewall rules for all metadata endpoint locations.

Signature Verification

Federation metadata is signed for integrity and authenticity. Participants are strongly encouraged to verify the XML signature on the metadata file before use; failure to do so will seriously compromise the security of your SAML deployment.

...

Warning
titleVerify the expiration date independently!

Verifying the signature on a SAML metadata file does not verify the presence or value of an expiration date. The only way to verify the expiration date is to parse the XML.

Anchor
firewall-config
firewall-config

Firewall Configuration

Depending on your environment, you may have to poke a hole in an outbound firewall to allow your metadata client to reach the metadata server. In that case, you will actually want to poke two holes in that firewall since there are two metadata servers as described below.

Hostname wayf.incommonfederation.org resolves to one of two identical servers, either in Michigan (207.75.165.125) or Indiana (140.182.44.53). The actual server used at any given point in time is unspecified and left to the discretion of InCommon Operations. If one of the servers goes down or requires maintenance, the other can be brought up within minutes, with minimal disruption of services.

Therefore, please make sure both your SAML implementation and your metadata refresh processes are configured with hostname wayf.incommonfederation.org (as opposed to an IP address). On the other hand, make sure your outbound firewall (if any) is configured with both IP addresses (207.75.165.125 and 140.182.44.53).

For More Information