Skip to Content.
Sympa Menu

metadata-support - [Metadata-Support] Re: new metadata with SSP 1.11

Subject: InCommon metadata support

List archive

[Metadata-Support] Re: new metadata with SSP 1.11

Chronological Thread 
  • From: Tom Scavo <>
  • To: Dan Schwartz <>
  • Cc:
  • Subject: [Metadata-Support] Re: new metadata with SSP 1.11
  • Date: Thu, 2 Jan 2014 16:00:48 -0500

Hi Dan,

Thanks for asking these good questions. See answers below.

I'm copying the metadata-support mailing list on this message. Can you
please subscribe to the mailing list before you reply (so as to
archive the entire thread)?



On Thu, Jan 2, 2014 at 3:26 PM, Dan Schwartz
> Hi Tom -
> I have a simplesamlphp (SSP) SP system which isn't really production
> yet, and I was trying out the new metadata with it.
> 1. Do you know when 1.12 is planned to be released? I haven't seen
> anything about it since your note (and discussions with Jamie P on the
> SSP mailing list) around 11/19/13.

That's a good question. I'll post to the SSP mailing list to find out.

> 2. I loaded up the new metadata from
>, and generated a
> SHA256 fingerprint from
> for it -
> 2F:9D:9A:A1:FE:D1:92:F0:64:A8:C6:31:5D:39:FA:CF:1E:08:84:0D:27:21:F3:31:B1:70:A5:2B:88:81:9F:5B,
> but SSP 1.11 complained about it saying that I had the wrong
> fingerprint and needed the SHA1 one -
> 7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD, so I
> created an array and put both in and that worked. Should it have
> switched to using SHA2 automatically? Do I need to configure
> something to tell it to use SHA2? Is the SHA2 stuff coming later?

Ah, I think you tripped up on the many uses of the SHA digest
algorithm that are in play here. Let me try to list some of them here
(since I think this will become a FAQ).

- The SSP metarefresh module requires the SHA-1 fingerprint of the
metadata signing certificate, which is listed above and on the (new)
Metadata Signing Certificate wiki page:

- The production metadata aggregate and the fallback metadata
aggregate are signed using SHA-256 and SHA-1, respectively.
( You can see this by inspecting
the signed XML metadata. The production metadata aggregate contains
this element:

<ds:DigestMethod Algorithm=""/>

while the fallback metadata aggregate contains this element:

<ds:DigestMethod Algorithm=""/>

Note that the XML signature on the metadata has nothing to do with the
fingerprint of the metadata signing certificate.

- You can remove the SHA-256 fingerprint from your SSP config since
AFAIK SSP only recognizes a SHA-1 fingerprint. See the (new)
SimpleSAMLphp Metadata Config wiki page for a working config example:

> The way I read the description, it seemed like the production metadata
> that I'm downloading should already be using the SHA-2 code.

See above. The production metadata aggregate *is* signed using SHA-256
and your SSP software is apparently verifying the XML signature just

> The
> webpage -
> could use a little re-wording now that it's after 1/1/2014..

Yes, I'll work on that, thanks.

> --
> Dan Schwartz | LTS - Systems and Networking | Lehigh University |
> | (610) 758-5061

Archive powered by MHonArc 2.6.16.

Top of Page