Assuming you trust the metadata registration practices of the InCommon Federation, you will want to To ensure the security of your metadata refresh process, you must verify the XML signature on each and every metadata aggregate you consume. Failure to do so will seriously compromise the security of your metadata refresh process.To verify the XML signature on a SAML metadata aggregateTo do that, you need an authentic copy of the metadata signing certificate, that is, the certificate that contains the public key corresponding to the private InCommon metadata signing key. The certificate must be obtained securely since all subsequent operations depend on it.
Warning | ||
---|---|---|
| ||
To bootstrap your trusted metadata process, you MUST check the integrity of the metadata signing certificate configured into that process. It is not sufficient to fetch the certificate via a TLS-protected HTTPS connection. |
The metadata signing certificate used to verify the XML signature on one of the new Metadata Aggregates is stored at the following location:
...
. |
...
You may check the integrity of the downloaded certificate in a variety of ways. For example, on a GNU/Linux system, you could use curl
and openssl
to check the integrity of the metadata signing certificate as follows:
...