Versions Compared

Old Version 54

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 55

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
titleConfigure Shibboleth SP 2.5 (and later)
<!--
  The following MetadataProvider attempts to refresh the main InCommon metadata 
  aggregate every hour. It also hides all IdPs with the hide-from-discovery 
  entity attribute.
-->
<MetadataProvider type="XML" 
    url="http://md.incommon.org/InCommon/InCommon-metadata.xml"
    backingFilePath="InCommon-metadata.xml" maxRefreshDelay="3600">

  <!--
    To bootstrap the trust fabric of the federation, each relying party 
    obtains and configures an authentic copy of the federation operator’s 
    Metadata Signing Certificate (https://spaces.at.internet2.edu/x/moHFAg).
 
    Fetch the InCommon Metadata Signing Certificate and check its integrity:
 
    $ /usr/bin/curl --silent https://ds.incommon.org/certs/inc-md-cert.pem \
        | /usr/bin/tee inc-md-cert.pem \
        | /usr/bin/openssl x509 -sha1 -fingerprint -noout
    SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD
 
    Verify the signature on the root element of the metadata aggregate 
    (i.e., the EntitiesDescriptor element) using the trusted Metadata 
    Signing Certificate.
  -->
  <MetadataFilter type="Signature" certificate="inc-md-cert.pem"/>

  <!--
    Require a validUntil XML attribute on the EntitiesDescriptor element
    and make sure its value is no more than 14 days into the future 
  -->
  <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>

  <!-- Consume all IdP metadata in the aggregate -->
  <MetadataFilter type="EntityRoleWhiteList">
    <RetainedRole>md:IDPSSODescriptor</RetainedRole>
    <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
  </MetadataFilter>

  <!-- Hide all IdPs with the hide-from-discovery entity attribute. -->
  <!-- This filter has no effect if your app has no discovery interface. -->
  <!-- Note: Hiding an IdP from the discovery interface does NOT prevent -->
  <!-- the SP from accepting an assertion from the IdP. -->
  <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
      attributeName="http://macedir.org/entity-category"
      attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      attributeValue="http://refeds.org/category/hide-from-discovery"/>

</MetadataProvider>
Tip
titleSlow network connection?

If you routinely experience network issues while refreshing InCommon metadata, try increasing the timeout on the SP's metadata refresh process. For example, the following child element of the above <MetadataProvider> parent element sets the transport timeout to 120 seconds:

Code Block
languagexml
<TransportOption provider="CURL" option="13">120</TransportOption>

See the NativeSPTransportOption topic in the Shibboleth wiki for more details.

 

For More Information