The configuration examples below apply to the specific versions of Shibboleth noted.
The Shibboleth software will not only consume metadata, it will also fetch and verify a fresh metadata file on a regular basis.
Configure the IdP
To configure a Shibboleth IdP to download and verify signed Federation metadata every 8 hours, do the following:
2.2 and Above
<!-- inside the ChainingMetadataProvider --> <MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata" id="ICMD" xsi:type="FileBackedHTTPMetadataProvider" maxRefreshDelay="PT8H" metadataURL="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml" backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml"> <MetadataFilter xsi:type="ChainingFilter"> <!-- Require metadata expiration at least monthly (28 days) --> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="2419200" /> <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="ICTrust" requireSignedMetadata="true" /> <MetadataFilter xsi:type="EntityRoleWhiteList"> <RetainedRole>samlmd:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataFilter> </MetadataProvider> ... <!- underneath the Security Configuration section --> <security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem"> <security:Certificate>/opt/shibboleth-idp/credentials/incommon.pem</security:Certificate> </security:Credential> </security:TrustEngine>
Do earlier versions of the Shibboleth IdP have the ability to specify a refresh interval? The following example appears to be incomplete:
2.1.5 and Below
<!-- inside the ChainingMetadataProvider --> <MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata" id="ICMD" xsi:type="FileBackedHTTPMetadataProvider" metadataURL="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml" backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml"> <MetadataFilter xsi:type="ChainingFilter"> <!-- Require metadata expiration at least monthly (28 days) --> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="2419200" /> <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="ICTrust" requireSignedMetadata="true" /> <MetadataFilter xsi:type="EntityRoleWhiteList"> <RetainedRole>samlmd:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataFilter> </MetadataProvider> ... <!- underneath the Security Configuration section --> <security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem"> <security:Certificate>/opt/shibboleth-idp/credentials/incommon.pem</security:Certificate> </security:Credential> </security:TrustEngine>
If you've successfully configured v2.1.5 (or earlier) of the Shibboleth IdP to fetch and verify metadata, please report your configuration to the incommon-participants@incommon.org mailing list.
Configure the SP
To configure a Shibboleth SP to download and verify signed Federation metadata every 8 hours, do the following:
2.4 and Above
<MetadataProvider type="XML" uri="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml" backingFilePath="InCommon-metadata.xml" maxRefreshDelay="28800"> <!-- Verify the signing key --> <SignatureMetadataFilter certificate="incommon.pem"/> <!-- Require metadata expiration at least monthly (28 days) --> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> </MetadataProvider>
2.3.1 and Below
<MetadataProvider type="XML" uri="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml" backingFilePath="InCommon-metadata.xml" reloadInterval="28800"> <!-- Verify the signing key --> <SignatureMetadataFilter certificate="incommon.pem"/> <!-- Require metadata expiration at least monthly (28 days) --> <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> </MetadataProvider>