...
| Code Block | ||
|---|---|---|
| ||
<!--
The following MetadataProvider attempts to refresh the main InCommon metadata
aggregate every hour. It also hides all IdPs with the hide-from-discovery
entity attribute.
-->
<MetadataProvider type="XML"
url="http://md.incommon.org/InCommon/InCommon-metadata.xml"
backingFilePath="InCommon-metadata.xml" maxRefreshDelay="3600">
<!--
To bootstrap the trust fabric of the federation, each relying party
obtains and configures an authentic copy of the federation operator’s
Metadata Signing Certificate (https://spaces.at.internet2.edu/x/moHFAg).
Fetch the InCommon Metadata Signing Certificate and check its integrity:
$ /usr/bin/curl --silent https://ds.incommon.org/certs/inc-md-cert.pem \
| /usr/bin/tee inc-md-cert.pem \
| /usr/bin/openssl x509 -sha1 -fingerprint -noout
SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD
Verify the signature on the root element of the metadata aggregate
(i.e., the EntitiesDescriptor element) using the trusted Metadata
Signing Certificate.
-->
<MetadataFilter type="Signature" certificate="inc-md-cert.pem"/>
<!--
Require a validUntil XML attribute on the EntitiesDescriptor element
and make sure its value is no more than 14 days into the future
-->
<MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
<!-- Consume all IdP metadata in the aggregate -->
<MetadataFilter type="EntityRoleWhiteList">
<RetainedRole>md:IDPSSODescriptor</RetainedRole>
<RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
</MetadataFilter>
<!-- Hide all IdPs with the hide-from-discovery entity attribute. -->
<!-- (Hiding an IdP from the discovery interface does NOT prevent -->
<!-- the SP from accepting an assertion from the IdP.) -->
<DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery"/>
</MetadataProvider>
|
...