Skip to Content.
Sympa Menu

metadata-support - RE: [Metadata-Support] setting up new signing certificate and new metadata aggregates in Shibboleth IdP version

Subject: InCommon metadata support

List archive

RE: [Metadata-Support] setting up new signing certificate and new metadata aggregates in Shibboleth IdP version


Chronological Thread 
  • From: "Doan, Tommy" <>
  • To: "" <>
  • Subject: RE: [Metadata-Support] setting up new signing certificate and new metadata aggregates in Shibboleth IdP version
  • Date: Thu, 19 Dec 2013 14:57:43 +0000
  • Accept-language: en-US

Typically you’ll find the InCommon-metadata.xml and other metadata files located in \metadata rather than in \conf, but this looks good.

 

Just a couple minor changes I might suggest.

·         maxValidityInterval="P28D" rather than “2419200”

·         After restarting TomCat, check the Shib logs for errors and make sure you have a new copy of InCommon-metadata.xml

 

From: [mailto:] On Behalf Of Brian Gibson
Sent: Thursday, December 19, 2013 8:38 AM
To:
Subject: [Metadata-Support] setting up new signing certificate and new metadata aggregates in Shibboleth IdP version

 

Hi All,

We are fairly new to Shibboleth so be gentle ;-)
We are running Shibboleth IdP version 2.4 in a Windows 2008 R2 server and we have an existing trust relationship with InCommon. My guess is the only things we will need to do to accommodate the metadata and signing certificates changes Tom recently mentioned would be to edit the following two sections in the relying-party.xml file

Change this section

<MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata" id="ICMD" xsi:type="FileBackedHTTPMetadataProvider" maxRefreshDelay="PT1H" metadataURL="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml" backingFile="C:\Program Files (x86)\Internet2\Shib2Idp\conf\InCommon-config.xml">
          <MetadataFilter xsi:type="ChainingFilter">
                <!-- Require metadata expiration at least monthly (28 days) -->
                <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="2419200" />
                <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="ICTrust" requireSignedMetadata="true" />
                <MetadataFilter xsi:type="EntityRoleWhiteList">
                      <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
                </MetadataFilter>
          </MetadataFilter>
    </MetadataProvider>       

to use the new URL (in bold)

<MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata" id="ICMD" xsi:type="FileBackedHTTPMetadataProvider" maxRefreshDelay="PT1H" metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml" backingFile="C:\Program Files (x86)\Internet2\Shib2Idp\conf\InCommon-config.xml">
          <MetadataFilter xsi:type="ChainingFilter">
                <!-- Require metadata expiration at least monthly (28 days) -->
                <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="2419200" />
                <MetadataFilter xsi:type="SignatureValidation" trustEngineRef="ICTrust" requireSignedMetadata="true" />
                <MetadataFilter xsi:type="EntityRoleWhiteList">
                      <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
                </MetadataFilter>
          </MetadataFilter>
    </MetadataProvider>       

The download the new signing certificate from here http://md.incommon.org/certs/inc-md-cert.pem and save it as

C:\Program Files (x86)\Internet2\Shib2Idp\credentials\inc-md-cert.pem

then edit this section of the relying-party.xml file

<security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature">
      <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
            <security:Certificate>C:\Program Files (x86)\Internet2\Shib2Idp\credentials\incommon.pem</security:Certificate>
      </security:Credential>
    </security:TrustEngine>

to read as follows (new file name in bold)

<security:TrustEngine id="ICTrust" xsi:type="security:StaticExplicitKeySignature">
      <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
            <security:Certificate>C:\Program Files (x86)\Internet2\Shib2Idp\credentials\inc-md-cert.pem</security:Certificate>
      </security:Credential>
    </security:TrustEngine>

Then stop and start Tomcat and check out the idp status page locally and try logging in at https://service1.internet2.edu/test/
 to make sure that everything works.

Am I missing something?

Thanks!


-- 
 
++++++++++++++++++++++++++++
Brian Gibson
Systems Administrator
Wheaton College
 
Are you a musician? If so visit my Arbans Online music site at 
http://arbansonline.com and listen & contribute



Archive powered by MHonArc 2.6.16.

Top of Page