Shibboleth Metadata Configuration
The Shibboleth software will not only consume metadata, it will also fetch and verify a fresh metadata file on a regular basis. Later versions of Shibboleth are highly optimized with respect to metadata.
The following examples fetch the production metadata aggregate. See the Metadata Aggregates wiki page for other options.
Configure the Shibboleth IdP
To configure Shibboleth IdP 2.2 (and later) to download and verify signed Federation metadata every hour, do the following:
Configure IdP 2.2 (and later)
<!--
The following MetadataProvider (a child element of a ChainingMetadataProvider)
refreshes the InCommon production metadata aggregate.
-->
<MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata"
id="ICMD" xsi:type="FileBackedHTTPMetadataProvider" maxRefreshDelay="PT1H"
metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml"
backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml">
<!-- Use a chaining filter to allow multiple filters to be added -->
<MetadataFilter xsi:type="ChainingFilter">
<!--
Require a validUntil XML attribute on the EntitiesDescriptor element
and make sure its value is no more than 14 days into the future
-->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" />
<!--
Require the metadata to be signed and use the trust engine
labeled id="ICTrust" to determine its trustworthiness
-->
<MetadataFilter xsi:type="SignatureValidation"
trustEngineRef="ICTrust" requireSignedMetadata="true" />
<!-- Consume all SP metadata in the aggregate -->
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
</MetadataProvider>
...
<!--
This TrustEngine (beneath the Security Configuration section) is an
implementation of the Explicit Key Trust Model, that is, trust is
based solely on the metadata signing key, not the certificate
that contains that key.
-->
<security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature">
<!--
Fetch the InCommon metadata signing certificate and check its integrity:
$ /usr/bin/curl --silent http://md.incommon.org/certs/inc-md-cert.pem \
| /usr/bin/tee /opt/shibboleth-idp/credentials/inc-md-cert.pem \
| /usr/bin/openssl x509 -sha1 -noout -fingerprint
SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD
-->
<security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/inc-md-cert.pem</security:Certificate>
</security:Credential>
</security:TrustEngine>
Configure the Shibboleth SP
To configure Shibboleth SP 2.4 (and later) to download and verify signed Federation metadata every hour, do the following:
Configure SP 2.4 (and later)
<!--
The following MetadataProvider refreshes the InCommon production metadata aggregate.
-->
<MetadataProvider type="XML"
url="http://md.incommon.org/InCommon/InCommon-metadata.xml"
backingFilePath="InCommon-metadata.xml" maxRefreshDelay="3600">
<!--
Require a validUntil XML attribute on the EntitiesDescriptor element
and make sure its value is no more than 14 days into the future
-->
<MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
<!-- Verify the signature on the metadata file -->
<MetadataFilter type="Signature" certificate="inc-md-cert.pem"/>
<!-- Consume all IdP metadata in the aggregate -->
<MetadataFilter type="EntityRoleWhiteList">
<RetainedRole>md:IDPSSODescriptor</RetainedRole>
<RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>