Skip to Content.
Sympa Menu

metadata-support - [Metadata-Support] setting up new signing certificate and new metadata aggregates in Shibboleth IdP version

Subject: InCommon metadata support

List archive

[Metadata-Support] setting up new signing certificate and new metadata aggregates in Shibboleth IdP version


Chronological Thread 
  • From: Brian Gibson <>
  • To:
  • Subject: [Metadata-Support] setting up new signing certificate and new metadata aggregates in Shibboleth IdP version
  • Date: Thu, 19 Dec 2013 09:38:11 -0500

Hi All,

We are fairly new to Shibboleth so be gentle ;-)
We are running Shibboleth IdP version 2.4 in a Windows 2008 R2 server and we have an existing trust relationship with InCommon. My guess is the only things we will need to do to accommodate the metadata and signing certificates changes Tom recently mentioned would be to edit the following two sections in the relying-party.xml file

Change this section

<MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata" id="ICMD" xsi:type="FileBackedHTTPMetadataProvider" maxRefreshDelay="PT1H" metadataURL="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml" backingFile="C:\Program Files (x86)\Internet2\Shib2Idp\conf\InCommon-config.xml">
          <MetadataFilter xsi:type="ChainingFilter">
                <!-- Require metadata expiration at least monthly (28 days) -->
                <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="2419200" />
                <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="ICTrust" requireSignedMetadata="true" />
                <MetadataFilter xsi:type="EntityRoleWhiteList">
                      <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
                </MetadataFilter>
          </MetadataFilter>
    </MetadataProvider>       

to use the new URL (in bold)

<MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata" id="ICMD" xsi:type="FileBackedHTTPMetadataProvider" maxRefreshDelay="PT1H" metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml" backingFile="C:\Program Files (x86)\Internet2\Shib2Idp\conf\InCommon-config.xml">
          <MetadataFilter xsi:type="ChainingFilter">
                <!-- Require metadata expiration at least monthly (28 days) -->
                <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="2419200" />
                <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="ICTrust" requireSignedMetadata="true" />
                <MetadataFilter xsi:type="EntityRoleWhiteList">
                      <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
                </MetadataFilter>
          </MetadataFilter>
    </MetadataProvider>       

The download the new signing certificate from here http://md.incommon.org/certs/inc-md-cert.pem and save it as

C:\Program Files (x86)\Internet2\Shib2Idp\credentials\inc-md-cert.pem

then edit this section of the relying-party.xml file

<security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature">
      <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
            <security:Certificate>C:\Program Files (x86)\Internet2\Shib2Idp\credentials\incommon.pem</security:Certificate>
      </security:Credential>
    </security:TrustEngine>

to read as follows (new file name in bold)

<security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature">
      <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
            <security:Certificate>C:\Program Files (x86)\Internet2\Shib2Idp\credentials\inc-md-cert.pem</security:Certificate>
      </security:Credential>
    </security:TrustEngine>

Then stop and start Tomcat and check out the idp status page locally and try logging in at https://service1.internet2.edu/test/
 to make sure that everything works.

Am I missing something?

Thanks!

-- 

++++++++++++++++++++++++++++
Brian Gibson
Systems Administrator
Wheaton College

Are you a musician? If so visit my Arbans Online music site at 
http://arbansonline.com and listen & contribute



Archive powered by MHonArc 2.6.16.

Top of Page