Versions Compared

Old Version 65

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 66

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Choose one of three Metadata Aggregates
  2. Download an authentic copy of the Metadata Signing Certificate
  3. Deploy and configure an automated metadata refresh process: Install and configure your recommended Metadata Client Software:
    1. Refresh metadata at least daily (but more often if possible)
    2. Validate the expiration date on downloaded metadata
    3. Verify the XML signature on downloaded metadata
  4. Adjust your outbound firewall rules (if necessary)

Refresh Interval

Deployments are strongly encouraged to refresh metadata at least daily. If your metadata client supports HTTP Conditional GET, configure the client to attempt a refresh operation every hour. This strategy provides the best protection in the event of a key compromise.

Validity Check

Federation metadata has an expiration date, much like an X.509 certificate. It is important that expired metadata not be accepted, otherwise an attacker would be able to substitute expired metadata in conjunction with metadata refresh. In particular, a metadata file should not be accepted if any of the following conditions are true:

  1. If the metadata file does not have a validUntil attribute on the root element.
  2. If the validUntil attribute on the root element is expired.
  3. If the validUntil attribute on the root element is too far into the future.

A metadata reload process should check each of the above conditions before accepting the metadata; alternatively if your SAML implementation is known to ignore/reject expired metadata (a basic correctness requirement), it may be sufficient to ensure that a validUntil attribute exists and is not unexpectedly far into the future.

Warning
titleVerify the expiration date independently!

Verifying the signature on a SAML metadata file does not verify the presence or value of an expiration date. The only way to verify the expiration date is to parse the XML.

Signature Verification

Federation metadata is signed for integrity and authenticity. Participants are strongly encouraged to verify the XML signature on the metadata file before use; failure to do so will seriously compromise the security of your SAML deployment.

...

For convenience, we provide a set of (suitably modified) schema files that permit offline schema validation.

Expiry Verification

Federation metadata has an expiration date, much like an X.509 certificate. It is important that expired metadata not be accepted, otherwise an attacker would be able to substitute expired metadata in conjunction with metadata refresh. In particular, a metadata file should not be accepted if any of the following conditions are true:

  1. If the metadata file does not have a validUntil attribute on the root element.
  2. If the validUntil attribute on the root element is expired.
  3. If the validUntil attribute on the root element is too far into the future.

A metadata reload process should check each of the above conditions before accepting the metadata; alternatively if your SAML implementation is known to ignore/reject expired metadata (a basic correctness requirement), it may be sufficient to ensure that a validUntil attribute exists and is not unexpectedly far into the future.

...

titleVerify the expiration date independently!

...

.

Anchor
firewall-config
firewall-config

...