The InCommon Federation metadata is published at the following location:
InCommon strongly recommends that you refresh your metadata daily to ensure that your SAML endpoints have access to the most up-to-date keys and other registered information. Some software implementations (such as Shibboleth) handle metadata with ease, but please read this entire page to understand the requirements and pitfalls associated with metadata consumption.
If you don't refresh your metadata regularly, it is likely your software implementation will fail at some point since the XML document carries an expiration date (
validUntil) that causes the metadata to expire in three weeks. InCommon strongly recommends that you do not rely on the actual length of this validity interval in any way, and in fact, we reserve the right to shorten the validity interval with little or no notice.
Depending on your environment, you may have to poke a hole in an outbound firewall to get metadata refesh to work. In that case, you will actually want to poke two holes in that firewall since there are two metadata servers as described below.
wayf.incommonfederation.org resolves to one of two identical servers, either in Michigan (184.108.40.206) or Indiana (220.127.116.11). The actual server used at any given point in time is unspecified and left to the discretion of InCommon Operations. If one of the servers goes down or requires maintenance, the other can be brought up within minutes, with minimal disruption of services.
Therefore, please make sure both your SAML implementation and your metadata refresh processes are configured with hostname
wayf.incommonfederation.org (as opposed to an IP address). On the other hand, make sure your outbound firewall (if any) is configured with both IP addresses (18.104.22.168 and 22.214.171.124).
Federation metadata is signed for integrity and authenticity. Participants are strongly encouraged to verify the XML signature on the metadata file before use.
To bootstrap the trust fabric of the Federation, participants are required to download the following certificate, which contains the public key corresponding to the Federation's private metadata signing key:
You may check the integrity of the downloaded certificate in a variety of ways. For example, one could use
openssl after the fact as follows:
$ openssl x509 -sha1 -in incommon.pem -noout -fingerprint
Once this certificate file is locally installed, you can use it to verify the signature on the metadata file in conjunction with the refresh process.
Federation metadata has an expiration date, much like an X.509 certificate. It is important that expired metadata not be accepted, otherwise an attacker would be able to substitute expired metadata in conjunction with a metadata refresh. In particular, a metadata file should not be accepted if any of the following conditions are true:
- If the metadata file does not have a
validUntilattribute on the root element.
- If the
validUntilattribute on the root element is expired.
- If a
validUntilattribute on a child element is expired.
A metadata reload process should check each of the above conditions before accepting the metadata.
Verifying the signature on a SAML metadata file does not verify the expiration date(s). The only way to do that is to parse the XML.
If you plan on using the Shibboleth software for the purposes of federation, you can in fact also use Shibboleth to download and verify the signed metadata without having to rely on any other tools. Regardless of your implementation, however, you can always set up a cron job to refresh your metadata, but in that case you will also need a tool to verify the XML signature at the time of refresh and another tool to prune expired metadata from the aggregate.
Apart from this refresh process, your software implementation needs to be configured to consume the InCommon metadata. Exactly how this is done depends on your implementation of course. Instructions how to configure Shibboleth for metadata consumption are provided elsewhere in this wiki. Also, see the resources linked below for related information.