<!-- Chaining metadata provider defined in the default IdP relying-party configuration file -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata">
<!-- Refresh the InCommon production metadata aggregate every hour -->
<MetadataProvider id="ICMD" xsi:type="FileBackedHTTPMetadataProvider"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml"
backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml"
maxRefreshDelay="PT1H">
<!-- Use a chaining filter to allow multiple filters to be added -->
<MetadataFilter xsi:type="ChainingFilter">
<!--
Require a validUntil XML attribute on the EntitiesDescriptor element
and make sure its value is no more than 14 days into the future
-->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" />
<!--
Require the metadata to be signed and use the trust engine
labeled id="ICTrust" to determine its trustworthiness
-->
<MetadataFilter xsi:type="SignatureValidation"
trustEngineRef="ICTrust" requireSignedMetadata="true" />
<!-- Consume all SP metadata in the aggregate -->
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
</MetadataProvider>
</MetadataProvider>
<!--
This TrustEngine (beneath the Security Configuration section) is an
implementation of the Explicit Key Trust Model (https://spaces.at.internet2.edu/x/t43NAQ).
To bootstrap the trust fabric of the federation, each relying party
obtains and configures an authentic copy of the federation operator’s
Metadata Signing Certificate (https://spaces.at.internet2.edu/x/moHFAg).
Fetch the InCommon metadata signing certificate and check its integrity:
$ /usr/bin/curl --silent http://md.incommon.org/certs/inc-md-cert.pem \
| /usr/bin/tee /opt/shibboleth-idp/credentials/inc-md-cert.pem \
| /usr/bin/openssl x509 -sha1 -noout -fingerprint
SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD
-->
<security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/inc-md-cert.pem</security:Certificate>
</security:Credential>
</security:TrustEngine>
|