...
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- Chaining metadata provider defined in the default IdP relying-party configuration file --> <MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"> <!-- Refresh the InCommon production metadata aggregate every hour --> <MetadataProvider id="ICMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml" backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml" maxRefreshDelay="PT1H"> <!-- Use a chaining filter to allow multiple filters to be added --> <MetadataFilter xsi:type="ChainingFilter"> <!-- Require a validUntil XML attribute on the EntitiesDescriptor element and make sure its value is no more than 14 days into the future --> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" /> <!-- Require the metadata to be signed and use the trust engine labeled id="ICTrust" to determine its trustworthiness --> <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="ICTrust" requireSignedMetadata="true" /> <!-- Consume all SP metadata in the aggregate --> <MetadataFilter xsi:type="EntityRoleWhiteList"> <RetainedRole>samlmd:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataFilter> </MetadataProvider> </MetadataProvider> <!-- This TrustEngine (beneath the Security Configuration section) is an implementation of the Explicit Key Trust Model (https://spaces.at.internet2.edu/x/t43NAQ). To bootstrap the trust fabric of the federation, each relying party obtains and configures an authentic copy of the federation operator’s Metadata Signing Certificate (https://spaces.at.internet2.edu/x/moHFAg). Fetch the InCommon metadata signing certificate and check its integrity: $ /usr/bin/curl --silent httphttps://mdds.incommon.org/certs/inc-md-cert.pem \ | /usr/bin/tee /opt/shibboleth-idp/credentials/inc-md-cert.pem \ | /usr/bin/openssl x509 -sha1 -noout -fingerprint SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD --> <security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem"> <security:Certificate>/opt/shibboleth-idp/credentials/inc-md-cert.pem</security:Certificate> </security:Credential> </security:TrustEngine> |
...