InCommon metadata support

[Dick Visser <>]

Hi Tom


This is

​running on

host login.terena.org, which runs Ubuntu 12.04

​.3 LTS 64-bit​

, which uses
"PHP 5.3.10-1ubuntu3.8 with Suhosin-Patch (cli) (built: Sep  4 2013

​ ​

20:00:51)".

​

​

We run SimpleSAMLphp r3242 from SVN, which would be equal to version 1.11.0.

​

The config-metarefresh.php isn't overly complicated (we think!), it's just very long ;-)

The relevant lines are:

'incommon' => array(

'cron'  => array('frequent'),

'sources'   => array(

array(

// See https://spaces.internet2.edu/display/InCCollaborate/Phase+1+Implementation+Plan

// Changed by on 19 Dec 2013

'src'   => 'http://md.incommon.org/InCommon/InCommon-metadata.xml',

// curl -s http://md.incommon.org/certs/inc-md-cert.pem  | openssl x509 -noout -fingerprint

'validateFingerprint' => '7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD',

'template'  => array(

'tags'  => array('all', 'incommon'),

'authproc'  => array(

51  => array('class' => 'core:AttributeMap', 'oid2name'),

),

'redirect.sign'     => TRUE,

'metadata.sign.enable' => TRUE,

),

// We already have a ProtectNetwork entry in the guest options

'blacklist' => array(

'urn:mace:incommon:idp.protectnetwork.org',

),

),

),

'outputDir' =>  'metadata/metarefresh/incommon',

'outputFormat'  => 'flatfile',

),

FYI:

visser@login:~$ openssl version

OpenSSL 1.0.1 14 Mar 2012

Dick

On 19 December 2013 14:38, Tom Scavo <> wrote:
> [copying metadata-support...Dick, will you please subscribe before
> replying? Thanks.]
>
> On Thu, Dec 19, 2013 at 3:38 AM, Dick Visser <> wrote:
>>
>> Just wanted you to know that I changed our metarefresh config with the
>> new production URL and a new fingerprinter, and it's working just
>> fine.
>
> That's great news! :-) Can you supply the following details about your
> simpleSAMLphp (SSP) deployment?
>
> - OS version
> - SSP version
> - metarefresh config details
>
> I suspect your metarefresh config is more complicated than most but
> that's okay :-)
>
> Thanks,
>
> Tom
>
>> On 18 December 2013 22:31, Tom Scavo <> wrote:
>>> You are receiving this note as a followup to the message quoted below.
>>> Your ACTION IS REQUIRED.
>>>
>>> A new metadata signing certificate and three new metadata aggregates
>>> have been deployed. See the Phase 1 Implementation Plan of the
>>> Metadata Distribution Working Group for links and details:
>>> https://spaces.internet2.edu/x/5IOZAg
>>>
>>> All SAML deployments in the InCommon Federation are required to
>>> migrate to one of the new metadata aggregates as soon as possible but
>>> no later than March 29, 2014. See the Phase 1 Implementation Plan FAQ
>>> for specific migration instructions:
>>> https://spaces.internet2.edu/x/yoCkAg
>>>
>>> If you have questions, or just want to find out more, we encourage you
>>> to subscribe to our new mailing list:
>>>
>>> Mailing list:
>>>
>>> We look forward to hearing from you!
>>>
>>> ----
>>> InCommon Operations
>>>
>>>
>>> On Wed, Dec 4, 2013 at 8:57 AM, Tom Scavo <> wrote:
>>>> You are receiving this message because you are a site administrator
>>>> for the InCommon Federation. No action is required at this time.
>>>>
>>>> On December 18th, InCommon Operations will deploy three new metadata
>>>> aggregates on a new vhost (md.incommon.org). All SAML deployments will
>>>> be asked to migrate to one of the new metadata aggregates as soon as
>>>> possible but no later than March 29, 2014. In the future, all new
>>>> metadata services will be deployed on md.incommon.org. Legacy vhost
>>>> wayf.incommonfederation.org will be phased out.
>>>>
>>>> An important driver for switching to a new metadata server is the
>>>> desire to migrate to SHA-2 throughout the InCommon Federation. The end
>>>> goal is for all metadata processes to be able to verify an XML
>>>> signature that uses a SHA-2 digest algorithm by June 30, 2014. For
>>>> details about any aspect of this effort, see the Phase 1
>>>> Implementation Plan of the Metadata Distribution Working Group:
>>>> https://spaces.internet2.edu/x/5IOZAg
>>>>
>>>> Each SAML deployment in the Federation will choose exactly one of the
>>>> new metadata aggregates. If your metadata process is not SHA-2
>>>> compatible, you will migrate to the fallback metadata aggregate.
>>>> Otherwise you will migrate to the production metadata aggregate or the
>>>> preview metadata aggregate, depending on your deployment. For more
>>>> information about metadata aggregates, see:
>>>> https://spaces.internet2.edu/x/SoG8Ag
>>>>
>>>> To find out more, subscribe to our new mailing list and/or check out our FAQ.
>>>>
>>>> Mailing list:
>>>> FAQ: https://spaces.internet2.edu/x/yoCkAg
>>>>
>>>> ----
>>>> InCommon Operations
>>>
>>>
>>> ------------------------
>>> InC-Ops-Notifications
>>>
>>> This is a notification-only email list with an open subscription policy. Anyone may join this list. For any questions regarding InCommon Operations, please email . For any discussions with the community regarding issues related to federation, please post to
>>>
>>> If you are an official designated InCommon Site Administrator for your organization, you MUST remain on this email list. The reason is that this list is the primary means of notifying you regarding timely information that could potentially affect the way your organization's systems operate in a federated context.
>>>
>>> Unsubscribing: To unsubscribe from this email list, send email to with the subject: unsub inc-ops-notifications
>>>
>>> Subscribing: To subscribe to this email list, send email to with the subject: sub inc-ops-notifications
>>>
>>> Alternatively, subscriptions can be managed at https://lists.incommon.org/sympa/info/inc-ops-notifications
>>>
>>
>>
>>
>> --
>> Dick Visser
>> System & Networking Engineer
>> TERENA Secretariat
>> Singel 468 D, 1017 AW Amsterdam
>> The Netherlands



--
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands