Versions Compared

Old Version 60

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 61

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page introduces important policy and procedures associated with InCommon metadata. Other pages outline describe the availability of multiple metadata aggregates and provide guidance on how to configure specific metadata clients. General configuration issues, including the configuration of outbound firewalls, are discussed below.

...

Participants are strongly encouraged to use SAML metadata client software that properly handles metadata; failure to do so can have profound effects on the successful use of the Federation. In addition to maintaining the security of your own deployment, proper metadata use is critical to ensure that other participants can depend on your system behaving correctly when they make changes.

...

  1. Choose the right metadata aggregate for your particular deployment
  2. Deploy and configure an automated metadata refresh process:
    1. Install and configure your metadata client software
    2. Verify Validate the XML signature expiration date on downloaded metadataValidate
    3. Verify the expiration date XML signature on downloaded metadata
  3. Adjust your outbound firewall rules (if necessary)

...

Code Block
languagebash
$ /usr/bin/curl --silent --remote-name http://md.incommon.org/InCommon/InCommon-metadata.xml > MD_PATH
$ ./xmlsectool.sh --verifySignature --signatureRequired \
    --certificate $CERT_PATH --inFile InCommon-metadata.xml$MD_PATH

You may also want to schema validate the metadata:

Code Block
languagebash
$ ./xmlsectool.sh --validateSchema \
    --schemaDirectory schema-files$SCHEMA_DIR --inFile InCommon-metadata.xml$MD_PATH

For convenience, we provide a set of (suitably modified) schema files that permit offline schema validation.

...

Federation metadata has an expiration date, much like an X.509 certificate. It is important that expired metadata not be accepted, otherwise an attacker would be able to substitute expired metadata in conjunction with a metadata refresh. In particular, a metadata file should not be accepted if either any of the following conditions are true:

  1. If the metadata file does not have a validUntil attribute on the root element.
  2. If the validUntil attribute on the root element is expired.
  3. If the validUntil attribute on the root element is too far into the future.

A metadata reload process should check each of the above conditions before accepting the metadata; alternatively if your SAML implementation is known to ignore/reject expired metadata (a basic correctness requirement), it may be sufficient to ensure that a validUntil attribute exists and is not unexpectedly far into the future.

...