...
Federation metadata is signed for integrity and authenticity. Participants are strongly encouraged to verify the XML signature on the metadata file before use; failure to do so will seriously compromise the security of your SAML deployment.
| Warning | ||
|---|---|---|
| ||
A trusted metadata process MUST verify the XML signature on InCommon metadata. It is not sufficient to request the metadata via a TLS-protected HTTP connection, which is why the sample process shown below does not rely on TLS. |
The InCommon Federation is based on the Explicit Key Trust Model, one of several possible metadata trust models. To bootstrap the trust fabric of the Federation, participants download and configure an authentic copy of the metadata verification certificate into their metadata refresh process. The certificate must be obtained securely since all subsequent operations depend on it.
...