InCommon metadata support

[Tom Scavo <>]

Thank you, Dick. This is very helpful.

I spun off your config example as a wiki page:

https://spaces.internet2.edu/x/eYHFAg

Dick, you should have edit access to the above page, so feel free to modify.

Thanks again,

Tom

On Thu, Dec 19, 2013 at 9:45 AM, Dick Visser 
<>
 wrote:
> Hi Tom
>
>
> This is
> running on
> host login.terena.org, which runs Ubuntu 12.04
> .3 LTS 64-bit
> , which uses
> "PHP 5.3.10-1ubuntu3.8 with Suhosin-Patch (cli) (built: Sep  4 2013
> 20:00:51)".
> We run SimpleSAMLphp r3242 from SVN, which would be equal to version 1.11.0.
>
> The config-metarefresh.php isn't overly complicated (we think!), it's just
> very long ;-)
> The relevant lines are:
>
>
> 'incommon' => array(
> 'cron'  => array('frequent'),
> 'sources'   => array(
> array(
> // See
> https://spaces.internet2.edu/display/InCCollaborate/Phase+1+Implementation+Plan
> // Changed by 
> 
>  on 19 Dec 2013
> 'src'   => 'http://md.incommon.org/InCommon/InCommon-metadata.xml',
> // curl -s http://md.incommon.org/certs/inc-md-cert.pem  | openssl x509
> -noout -fingerprint
> 'validateFingerprint' =>
> '7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD',
> 'template'  => array(
> 'tags'  => array('all', 'incommon'),
> 'authproc'  => array(
> 51  => array('class' => 'core:AttributeMap', 'oid2name'),
> ),
> 'redirect.sign'     => TRUE,
> 'metadata.sign.enable' => TRUE,
> ),
> // We already have a ProtectNetwork entry in the guest options
> 'blacklist' => array(
> 'urn:mace:incommon:idp.protectnetwork.org',
> ),
> ),
> ),
> 'outputDir' =>  'metadata/metarefresh/incommon',
> 'outputFormat'  => 'flatfile',
> ),
>
>
> FYI:
> visser@login:~$
>  openssl version
> OpenSSL 1.0.1 14 Mar 2012
>
>
>
>
>
> Dick
>
>
>
>
> On 19 December 2013 14:38, Tom Scavo 
> <>
>  wrote:
>> [copying metadata-support...Dick, will you please subscribe before
>> replying? Thanks.]
>>
>> On Thu, Dec 19, 2013 at 3:38 AM, Dick Visser 
>> <>
>>  wrote:
>>>
>>> Just wanted you to know that I changed our metarefresh config with the
>>> new production URL and a new fingerprinter, and it's working just
>>> fine.
>>
>> That's great news! :-) Can you supply the following details about your
>> simpleSAMLphp (SSP) deployment?
>>
>> - OS version
>> - SSP version
>> - metarefresh config details
>>
>> I suspect your metarefresh config is more complicated than most but
>> that's okay :-)
>>
>> Thanks,
>>
>> Tom
>>
>>> On 18 December 2013 22:31, Tom Scavo 
>>> <>
>>>  wrote:
>>>> You are receiving this note as a followup to the message quoted below.
>>>> Your ACTION IS REQUIRED.
>>>>
>>>> A new metadata signing certificate and three new metadata aggregates
>>>> have been deployed. See the Phase 1 Implementation Plan of the
>>>> Metadata Distribution Working Group for links and details:
>>>> https://spaces.internet2.edu/x/5IOZAg
>>>>
>>>> All SAML deployments in the InCommon Federation are required to
>>>> migrate to one of the new metadata aggregates as soon as possible but
>>>> no later than March 29, 2014. See the Phase 1 Implementation Plan FAQ
>>>> for specific migration instructions:
>>>> https://spaces.internet2.edu/x/yoCkAg
>>>>
>>>> If you have questions, or just want to find out more, we encourage you
>>>> to subscribe to our new mailing list:
>>>>
>>>> Mailing list: 
>>>> 
>>>>
>>>> We look forward to hearing from you!
>>>>
>>>> ----
>>>> InCommon Operations
>>>>
>>>>
>>>> On Wed, Dec 4, 2013 at 8:57 AM, Tom Scavo 
>>>> <>
>>>>  wrote:
>>>>> You are receiving this message because you are a site administrator
>>>>> for the InCommon Federation. No action is required at this time.
>>>>>
>>>>> On December 18th, InCommon Operations will deploy three new metadata
>>>>> aggregates on a new vhost (md.incommon.org). All SAML deployments will
>>>>> be asked to migrate to one of the new metadata aggregates as soon as
>>>>> possible but no later than March 29, 2014. In the future, all new
>>>>> metadata services will be deployed on md.incommon.org. Legacy vhost
>>>>> wayf.incommonfederation.org will be phased out.
>>>>>
>>>>> An important driver for switching to a new metadata server is the
>>>>> desire to migrate to SHA-2 throughout the InCommon Federation. The end
>>>>> goal is for all metadata processes to be able to verify an XML
>>>>> signature that uses a SHA-2 digest algorithm by June 30, 2014. For
>>>>> details about any aspect of this effort, see the Phase 1
>>>>> Implementation Plan of the Metadata Distribution Working Group:
>>>>> https://spaces.internet2.edu/x/5IOZAg
>>>>>
>>>>> Each SAML deployment in the Federation will choose exactly one of the
>>>>> new metadata aggregates. If your metadata process is not SHA-2
>>>>> compatible, you will migrate to the fallback metadata aggregate.
>>>>> Otherwise you will migrate to the production metadata aggregate or the
>>>>> preview metadata aggregate, depending on your deployment. For more
>>>>> information about metadata aggregates, see:
>>>>> https://spaces.internet2.edu/x/SoG8Ag
>>>>>
>>>>> To find out more, subscribe to our new mailing list and/or check out
>>>>> our FAQ.
>>>>>
>>>>> Mailing list: 
>>>>> 
>>>>> FAQ: https://spaces.internet2.edu/x/yoCkAg
>>>>>
>>>>> ----
>>>>> InCommon Operations
>>>>
>>>>
>>>> ------------------------
>>>> InC-Ops-Notifications
>>>>
>>>> This is a notification-only email list with an open subscription policy.
>>>> Anyone may join this list. For any questions regarding InCommon 
>>>> Operations,
>>>> please email 
>>>> .
>>>>  For any discussions with the community
>>>> regarding issues related to federation, please post to
>>>> 
>>>>
>>>> If you are an official designated InCommon Site Administrator for your
>>>> organization, you MUST remain on this email list. The reason is that this
>>>> list is the primary means of notifying you regarding timely information 
>>>> that
>>>> could potentially affect the way your organization's systems operate in a
>>>> federated context.
>>>>
>>>> Unsubscribing: To unsubscribe from this email list, send email to
>>>> 
>>>>  with the subject: unsub inc-ops-notifications
>>>>
>>>> Subscribing: To subscribe to this email list, send email to
>>>> 
>>>>  with the subject: sub inc-ops-notifications
>>>>
>>>> Alternatively, subscriptions can be managed at
>>>> https://lists.incommon.org/sympa/info/inc-ops-notifications
>>>>
>>>
>>>
>>>
>>> --
>>> Dick Visser
>>> System & Networking Engineer
>>> TERENA Secretariat
>>> Singel 468 D, 1017 AW Amsterdam
>>> The Netherlands
>
>
>
> --
> Dick Visser
> System & Networking Engineer
> TERENA Secretariat
> Singel 468 D, 1017 AW Amsterdam
> The Netherlands