Versions Compared

Old Version 42

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 43

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To configure Shibboleth IdP 3.0 (and later) to download and verify signed InCommon metadata every hour, do the following:

Code Block
languageXML
titleConfigure Shib Shibboleth IdP 23.2 0 (and later)
<!-- 
  Use a ChainingMetadataProvider in case you want to nest other metadata providers later on 
-->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
                  xmlns="urn:mace:shibboleth:2.0:metadata">

  <!--
    Refresh the InCommon production metadata aggregate every hour.
 
    Note: The defaults for minRefreshDelay, maxRefreshDelay, and refreshDelayFactor
    are "PT5M", "PT4H", and "0.75", respectively. The default for maxRefreshDelay
    has been modified below such that the metadata is refreshed every hour ("PT1H").
    The other properties merely regurgitate their default values. They are included
    here for convenience, in case you want to change their default values.
  -->
  <MetadataProvider id="ICMD" xsi:type="FileBackedHTTPMetadataProvider"
                    xmlns="urn:mace:shibboleth:2.0:metadata"
                    metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml"
                    backingFile="%{idp.home}/metadata/InCommon-metadata.xml"
                    minRefreshDelay="PT5M"
                    maxRefreshDelay="PT1H"
                    refreshDelayFactor="0.75">

      <!--
        To bootstrap the trust fabric of the federation, each relying party 
        obtains and configures an authentic copy of the federation operator’s 
        Metadata Signing Certificate (https://spaces.at.internet2.edu/x/moHFAg).
 
        Fetch the InCommon metadata signing certificate and check its integrity:
 
        $ IDP_HOME=/opt/shibboleth-idp
        $ /usr/bin/curl --silent https://ds.incommon.org/certs/inc-md-cert.pem \
            | /usr/bin/tee $IDP_HOME/credentials/inc-md-cert.pem \
            | /usr/bin/openssl x509 -sha1 -noout -fingerprint
        SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD
      -->
      <MetadataFilter xsi:type="SignatureValidation" requireSignedMetadata="true"
              certificateFile="%{idp.home}/credentials/inc-md-cert.pem" />

      <!--
        Require a validUntil XML attribute on the EntitiesDescriptor element
        and make sure its value is no more than 14 days into the future 
      -->
      <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" />

      <!-- Consume all SP metadata in the aggregate -->
      <MetadataFilter xsi:type="EntityRoleWhiteList">
        <RetainedRole>md:SPSSODescriptor</RetainedRole>
      </MetadataFilter>

  </MetadataProvider>

</MetadataProvider>

To configure Shibboleth IdP 2.2 (and later) to download and verify signed InCommon metadata every hour, do the following:

XML
Code Block
language
titleConfigure Shib Shibboleth IdP 2.2 (and later)
<!-- Chaining metadata provider defined in the default IdP relying-party configuration file -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
                  xmlns="urn:mace:shibboleth:2.0:metadata">

  <!--
    Refresh the InCommon production metadata aggregate every hour.
 
    Note: The defaults for minRefreshDelay, maxRefreshDelay, and refreshDelayFactor
    are "PT5M", "PT4H", and "0.75", respectively. The default for maxRefreshDelay
    has been modified below such that the metadata is refreshed every hour ("PT1H").
    The other properties merely regurgitate their default values. They are included
    here for convenience, in case you want to change their default values.
  -->
  <MetadataProvider id="ICMD" xsi:type="FileBackedHTTPMetadataProvider"
                    xmlns="urn:mace:shibboleth:2.0:metadata"
                    metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml"
                    backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml"
                    minRefreshDelay="PT5M"
                    maxRefreshDelay="PT1H"
                    refreshDelayFactor="0.75">

    <!-- Use a chaining filter to allow multiple filters to be added -->
    <MetadataFilter xsi:type="ChainingFilter">

        <!--
          Require the metadata to be signed and use the trust engine
          labeled id="ICTrust" to determine its trustworthiness
        -->
        <MetadataFilter xsi:type="SignatureValidation" 
                        trustEngineRef="ICTrust" requireSignedMetadata="true" />

        <!--
          Require a validUntil XML attribute on the EntitiesDescriptor element
          and make sure its value is no more than 14 days into the future 
        -->
        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" />

        <!-- Consume all SP metadata in the aggregate -->
        <MetadataFilter xsi:type="EntityRoleWhiteList">
          <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
        </MetadataFilter>

    </MetadataFilter>
  </MetadataProvider>

</MetadataProvider>

<!--
  This TrustEngine (beneath the Security Configuration section) is an 
  implementation of the Explicit Key Trust Model (https://spaces.at.internet2.edu/x/t43NAQ).
 
  To bootstrap the trust fabric of the federation, each relying party 
  obtains and configures an authentic copy of the federation operator’s 
  Metadata Signing Certificate (https://spaces.at.internet2.edu/x/moHFAg).
 
  Fetch the InCommon metadata signing certificate and check its integrity:
 
  $ /usr/bin/curl --silent https://ds.incommon.org/certs/inc-md-cert.pem \
      | /usr/bin/tee /opt/shibboleth-idp/credentials/inc-md-cert.pem \
      | /usr/bin/openssl x509 -sha1 -noout -fingerprint
  SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD
-->
<security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature">

  <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
    <security:Certificate>/opt/shibboleth-idp/credentials/inc-md-cert.pem</security:Certificate>
  </security:Credential>
</security:TrustEngine>

...

To configure Shibboleth SP 2.4 (and later) to download and verify signed InCommon metadata every hour, do the following:

Code Block
languageXML
titleConfigure Shib Shibboleth SP 2.4 (and later)
<!--
  The following MetadataProvider refreshes the InCommon production metadata aggregate.
-->
<MetadataProvider type="XML" 
    url="http://md.incommon.org/InCommon/InCommon-metadata.xml"
    backingFilePath="InCommon-metadata.xml" maxRefreshDelay="3600">

  <!--
    Require a validUntil XML attribute on the EntitiesDescriptor element
    and make sure its value is no more than 14 days into the future 
  -->
  <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>

  <!-- Verify the signature on the metadata file -->
  <MetadataFilter type="Signature" certificate="inc-md-cert.pem"/>

  <!-- Consume all IdP metadata in the aggregate -->
  <MetadataFilter type="EntityRoleWhiteList">
    <RetainedRole>md:IDPSSODescriptor</RetainedRole>
    <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
  </MetadataFilter>

</MetadataProvider>

...