metadata-support - [Metadata-Support] setting up new signing certificate and new metadata aggregates in Shibboleth IdP version
Subject: InCommon metadata support
List archive
[Metadata-Support] setting up new signing certificate and new metadata aggregates in Shibboleth IdP version
Chronological Thread
- From: Brian Gibson <>
- To:
- Subject: [Metadata-Support] setting up new signing certificate and new metadata aggregates in Shibboleth IdP version
- Date: Thu, 19 Dec 2013 09:38:11 -0500
Hi All, We are fairly new to Shibboleth so be gentle ;-) We are running Shibboleth IdP version 2.4 in a Windows 2008 R2 server and we have an existing trust relationship with InCommon. My guess is the only things we will need to do to accommodate the metadata and signing certificates changes Tom recently mentioned would be to edit the following two sections in the relying-party.xml file Change this section <MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata" id="ICMD" xsi:type="FileBackedHTTPMetadataProvider" maxRefreshDelay="PT1H" metadataURL="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml" backingFile="C:\Program Files (x86)\Internet2\Shib2Idp\conf\InCommon-config.xml"> <MetadataFilter xsi:type="ChainingFilter"> <!-- Require metadata expiration at least monthly (28 days) --> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="2419200" /> <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="ICTrust" requireSignedMetadata="true" /> <MetadataFilter xsi:type="EntityRoleWhiteList"> <RetainedRole>samlmd:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataFilter> </MetadataProvider> to use the new URL (in bold) <MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata" id="ICMD" xsi:type="FileBackedHTTPMetadataProvider" maxRefreshDelay="PT1H" metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml" backingFile="C:\Program Files (x86)\Internet2\Shib2Idp\conf\InCommon-config.xml"> <MetadataFilter xsi:type="ChainingFilter"> <!-- Require metadata expiration at least monthly (28 days) --> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="2419200" /> <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="ICTrust" requireSignedMetadata="true" /> <MetadataFilter xsi:type="EntityRoleWhiteList"> <RetainedRole>samlmd:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataFilter> </MetadataProvider> The download the new signing certificate from here http://md.incommon.org/certs/inc-md-cert.pem and save it as C:\Program Files (x86)\Internet2\Shib2Idp\credentials\inc-md-cert.pem then edit this section of the relying-party.xml file <security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem"> <security:Certificate>C:\Program Files (x86)\Internet2\Shib2Idp\credentials\incommon.pem</security:Certificate> </security:Credential> </security:TrustEngine> to read as follows (new file name in bold) <security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem"> <security:Certificate>C:\Program Files (x86)\Internet2\Shib2Idp\credentials\inc-md-cert.pem</security:Certificate> </security:Credential> </security:TrustEngine> Then stop and start Tomcat and check out the idp status page locally and try logging in at https://service1.internet2.edu/test/ to make sure that everything works. Am I missing something? Thanks! -- ++++++++++++++++++++++++++++ Brian Gibson Systems Administrator Wheaton College Are you a musician? If so visit my Arbans Online music site at http://arbansonline.com and listen & contribute |
- [Metadata-Support] setting up new signing certificate and new metadata aggregates in Shibboleth IdP version, Brian Gibson, 12/19/2013
Archive powered by MHonArc 2.6.16.