Versions Compared

Old Version 71

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 72

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
titleConfigure Shibboleth SP 2.5 (and later)
<!--
  The following MetadataProvider attempts to refresh the InCommon 
  IdP-only metadata aggregate every hour.
-->
<MetadataProvider type="XML" 
    url="http://md.incommon.org/InCommon/InCommon-metadata-idp-only.xml"
    backingFilePath="InCommon-metadata-idp-only.xml"
    maxRefreshDelay="3600">

  <!--
    To bootstrap the trust fabric of the federation, each relying party 
    obtains and configures an authentic copy of the federation operator’s 
    Metadata Signing Certificate (https://spaces.at.internet2.edu/x/moHFAg).
 
    Fetch the InCommon Metadata Signing Certificate and check its integrity:
 
    $ /usr/bin/curl -s https://ds.incommon.org/certs/inc-md-cert.pem \
        | /usr/bin/tee inc-md-cert.pem \
        | /usr/bin/openssl x509 -sha1 -fingerprint -noout
    SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD
 
    Verify the signature on the root element of the metadata aggregate 
    (i.e., the EntitiesDescriptor element) using the trusted Metadata 
    Signing Certificate.
 
    A large metadata file can cause a significant increase in startup 
    time at the SP. This is due to the time it takes to verify the 
    signature on the metadata, which is known to increase exponentially 
    as the size of the metadata file increases. To disable signature 
    verification at startup time only, add verifyBackup="false" to the 
    MetadataFilter element below. 
  -->
  <MetadataFilter type="Signature" certificate="inc-md-cert.pem"/>

  <!--
    Require a validUntil XML attribute on the EntitiesDescriptor element
    and make sure its value is no more than 14 days into the future 
  -->
  <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>

  <!-- 
    Consume all IdP metadata in the aggregate. TIP: If the SP supports 
    SAML2 Web Browser SSO only, the md:AttributeAuthorityDescriptor 
    elements in IdP metadata can be ignored.
  -->
  <MetadataFilter type="EntityRoleWhiteList">
    <RetainedRole>md:IDPSSODescriptor</RetainedRole>
    <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
  </MetadataFilter>

</MetadataProvider>

...

Code Block
titleConfigure Shibboleth SP 2.5 (and later) with discovery
<!--
  The following MetadataProvider attempts to refresh the InCommon 
  IdP-only metadata aggregate every hour.
 
  The discovery interface relies primarily on mdui:DisplayName.
  To fall back on md:OrganizationDisplayName if mdui:DisplayName
  is missing from IdP metadata, add legacyOrgNames="true" to the
  MetadataProvider element as shown below.
-->
<MetadataProvider type="XML" 
    url="http://md.incommon.org/InCommon/InCommon-metadata-idp-only.xml"
    backingFilePath="InCommon-metadata-idp-only.xml"
    maxRefreshDelay="3600"
    legacyOrgNames="true">

  <!--
    To bootstrap the trust fabric of the federation, each relying party 
    obtains and configures an authentic copy of the federation operator’s 
    Metadata Signing Certificate (https://spaces.at.internet2.edu/x/moHFAg).
 
    Fetch the InCommon Metadata Signing Certificate and check its integrity:
 
    $ /usr/bin/curl -s https://ds.incommon.org/certs/inc-md-cert.pem \
        | /usr/bin/tee inc-md-cert.pem \
        | /usr/bin/openssl x509 -sha1 -fingerprint -noout
    SHA1 Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD
 
    Verify the signature on the root element of the metadata aggregate 
    (i.e., the EntitiesDescriptor element) using the trusted Metadata 
    Signing Certificate.
 
    A large metadata file can cause a significant increase in startup 
    time at the SP. This is due to the time it takes to verify the 
    signature on the metadata, which is known to increase exponentially 
    as the size of the metadata file increases. To disable signature 
    verification at startup time only, add verifyBackup="false" to the 
    MetadataFilter element below. 
  -->
  <MetadataFilter type="Signature" certificate="inc-md-cert.pem"/>

  <!--
    Require a validUntil XML attribute on the EntitiesDescriptor element
    and make sure its value is no more than 14 days into the future 
  -->
  <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>

  <!-- 
    Consume all IdP metadata in the aggregate. TIP: If the SP supports 
    SAML2 Web Browser SSO only, the md:AttributeAuthorityDescriptor 
    elements in IdP metadata can be ignored.
  -->
  <MetadataFilter type="EntityRoleWhiteList">
    <RetainedRole>md:IDPSSODescriptor</RetainedRole>
    <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
  </MetadataFilter>

  <!-- 
    Hide all IdPs with the hide-from-discovery entity attribute.
    This filter has no effect if your app has no discovery interface.
    Note: Hiding an IdP from the discovery interface does NOT prevent
    the SP from accepting an assertion from the IdP. 
  -->
  <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
      attributeName="http://macedir.org/entity-category"
      attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      attributeValue="http://refeds.org/category/hide-from-discovery"/>

</MetadataProvider>

...