The configuration examples here assume the latest supported versions of Shibboleth, unless otherwise noted.
The Shibboleth software will not only consume metadata, it will also fetch and verify a fresh metadata file on a regular basis.
Configure the IdP
To configure a Shibboleth IdP to download and verify signed Federation metadata, do the following:
Configure the IdP (2.2 and later)
<!-- inside the ChainingMetadataProvider -->
<MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata"
id="ICMD" xsi:type="FileBackedHTTPMetadataProvider"
maxRefreshDelay="P8H"
metadataURL="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"
backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml">
<MetadataFilter xsi:type="ChainingFilter">
<!-- Require metadata expiration at least monthly (28 days) -->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="2419200" />
<MetadataFilter xsi:type="SignatureValidation"
trustEngineRef="ICTrust" requireSignedMetadata="true" />
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
</MetadataProvider>
...
<!- underneath the Security Configuration section -->
<security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/incommon.pem</security:Certificate>
</security:Credential>
</security:TrustEngine>
Configure the IdP (2.1.5 and earlier)
<!-- inside the ChainingMetadataProvider -->
<MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata"
id="ICMD" xsi:type="FileBackedHTTPMetadataProvider"
metadataURL="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"
backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml">
<MetadataFilter xsi:type="ChainingFilter">
<!-- Require metadata expiration at least monthly (28 days) -->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="2419200" />
<MetadataFilter xsi:type="SignatureValidation"
trustEngineRef="ICTrust" requireSignedMetadata="true" />
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
</MetadataProvider>
...
<!- underneath the Security Configuration section -->
<security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/incommon.pem</security:Certificate>
</security:Credential>
</security:TrustEngine>
Configure the SP
Similarly, to configure a Shibboleth SP, do the following:
Configure the SP (2.4 and later)
<MetadataProvider type="XML"
uri="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"
backingFilePath="InCommon-metadata.xml" maxRefreshDelay="28800">
<!-- Verify the signing key -->
<SignatureMetadataFilter certificate="incommon.pem"/>
<!-- Require metadata expiration at least monthly (28 days) -->
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
</MetadataProvider>
Configure the SP (2.3.1 and earlier)
<MetadataProvider type="XML"
uri="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml"
backingFilePath="InCommon-metadata.xml" reloadInterval="28800">
<!-- Verify the signing key -->
<SignatureMetadataFilter certificate="incommon.pem"/>
<!-- Require metadata expiration at least monthly (28 days) -->
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
</MetadataProvider>