Subject: InCommon metadata support
- From: Tom Scavo <>
- To: Dan Schwartz <>
- Subject: [Metadata-Support] Re: new metadata with SSP 1.11
- Date: Thu, 2 Jan 2014 16:00:48 -0500
Thanks for asking these good questions. See answers below.
I'm copying the metadata-support mailing list on this message. Can you
please subscribe to the mailing list before you reply (so as to
archive the entire thread)?
On Thu, Jan 2, 2014 at 3:26 PM, Dan Schwartz
> Hi Tom -
> I have a simplesamlphp (SSP) SP system which isn't really production
> yet, and I was trying out the new metadata with it.
> 1. Do you know when 1.12 is planned to be released? I haven't seen
> anything about it since your note (and discussions with Jamie P on the
> SSP mailing list) around 11/19/13.
That's a good question. I'll post to the SSP mailing list to find out.
> 2. I loaded up the new metadata from
> http://md.incommon.org/InCommon/InCommon-metadata.xml, and generated a
> SHA256 fingerprint from http://md.incommon.org/certs/inc-md-cert.pem
> for it -
> but SSP 1.11 complained about it saying that I had the wrong
> fingerprint and needed the SHA1 one -
> 7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD, so I
> created an array and put both in and that worked. Should it have
> switched to using SHA2 automatically? Do I need to configure
> something to tell it to use SHA2? Is the SHA2 stuff coming later?
Ah, I think you tripped up on the many uses of the SHA digest
algorithm that are in play here. Let me try to list some of them here
(since I think this will become a FAQ).
- The SSP metarefresh module requires the SHA-1 fingerprint of the
metadata signing certificate, which is listed above and on the (new)
Metadata Signing Certificate wiki page:
- The production metadata aggregate and the fallback metadata
aggregate are signed using SHA-256 and SHA-1, respectively.
(https://spaces.internet2.edu/x/SoG8Ag) You can see this by inspecting
the signed XML metadata. The production metadata aggregate contains
while the fallback metadata aggregate contains this element:
Note that the XML signature on the metadata has nothing to do with the
fingerprint of the metadata signing certificate.
- You can remove the SHA-256 fingerprint from your SSP config since
AFAIK SSP only recognizes a SHA-1 fingerprint. See the (new)
SimpleSAMLphp Metadata Config wiki page for a working config example:
> The way I read the description, it seemed like the production metadata
> that I'm downloading should already be using the SHA-2 code.
See above. The production metadata aggregate *is* signed using SHA-256
and your SSP software is apparently verifying the XML signature just
> webpage -
> could use a little re-wording now that it's after 1/1/2014..
Yes, I'll work on that, thanks.
> Dan Schwartz | LTS - Systems and Networking | Lehigh University |
> | (610) 758-5061
- [Metadata-Support] Re: new metadata with SSP 1.11, Tom Scavo, 01/02/2014
- [Metadata-Support] Re: new metadata with SSP 1.11, Dan Schwartz, 01/03/2014
Archive powered by MHonArc 2.6.16.