Skip to Content.
Sympa Menu

metadata-support - [Metadata-Support] Re: new metadata with SSP 1.11

Subject: InCommon metadata support

List archive

[Metadata-Support] Re: new metadata with SSP 1.11


Chronological Thread 
  • From: Dan Schwartz <>
  • To: Tom Scavo <>
  • Cc:
  • Subject: [Metadata-Support] Re: new metadata with SSP 1.11
  • Date: Fri, 3 Jan 2014 13:18:33 -0500

To follow up: I just heard back from Jaime PĂ©rez that SSP 1.12 will
have a release candidate in a couple of weeks followed by the final
release likely in February.

Thanks for the detailed description about the fingerprint and encryption info.

One issue with the SSP metarefresh module that I've run across is that
it takes longer and longer to convert the federation metadata XML file
into the SSP format files, and running it through the SSP cron system,
it catches on php timeouts (which can be increased in the php.ini
file). I'm curious to see if the new metadata handling stuff in SSP
will be able to directly consume the xml file, or increase the
processing / conversion speed.

--
Dan Schwartz | LTS - Systems and Networking | Lehigh University |

| (610) 758-5061


On Thu, Jan 2, 2014 at 4:00 PM, Tom Scavo
<>
wrote:
> Hi Dan,
>
> Thanks for asking these good questions. See answers below.
>
> I'm copying the metadata-support mailing list on this message. Can you
> please subscribe to the mailing list before you reply (so as to
> archive the entire thread)?
>
> Thanks,
>
> Tom
>
> On Thu, Jan 2, 2014 at 3:26 PM, Dan Schwartz
> <>
> wrote:
>> Hi Tom -
>>
>> I have a simplesamlphp (SSP) SP system which isn't really production
>> yet, and I was trying out the new metadata with it.
>>
>> 1. Do you know when 1.12 is planned to be released? I haven't seen
>> anything about it since your note (and discussions with Jamie P on the
>> SSP mailing list) around 11/19/13.
>
> That's a good question. I'll post to the SSP mailing list to find out.
>
>> 2. I loaded up the new metadata from
>> http://md.incommon.org/InCommon/InCommon-metadata.xml, and generated a
>> SHA256 fingerprint from http://md.incommon.org/certs/inc-md-cert.pem
>> for it -
>> 2F:9D:9A:A1:FE:D1:92:F0:64:A8:C6:31:5D:39:FA:CF:1E:08:84:0D:27:21:F3:31:B1:70:A5:2B:88:81:9F:5B,
>> but SSP 1.11 complained about it saying that I had the wrong
>> fingerprint and needed the SHA1 one -
>> 7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD, so I
>> created an array and put both in and that worked. Should it have
>> switched to using SHA2 automatically? Do I need to configure
>> something to tell it to use SHA2? Is the SHA2 stuff coming later?
>
> Ah, I think you tripped up on the many uses of the SHA digest
> algorithm that are in play here. Let me try to list some of them here
> (since I think this will become a FAQ).
>
> - The SSP metarefresh module requires the SHA-1 fingerprint of the
> metadata signing certificate, which is listed above and on the (new)
> Metadata Signing Certificate wiki page:
> https://spaces.internet2.edu/x/moHFAg
>
> - The production metadata aggregate and the fallback metadata
> aggregate are signed using SHA-256 and SHA-1, respectively.
> (https://spaces.internet2.edu/x/SoG8Ag) You can see this by inspecting
> the signed XML metadata. The production metadata aggregate contains
> this element:
>
> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> while the fallback metadata aggregate contains this element:
>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>
> Note that the XML signature on the metadata has nothing to do with the
> fingerprint of the metadata signing certificate.
>
> - You can remove the SHA-256 fingerprint from your SSP config since
> AFAIK SSP only recognizes a SHA-1 fingerprint. See the (new)
> SimpleSAMLphp Metadata Config wiki page for a working config example:
> https://spaces.internet2.edu/x/eYHFAg
>
>> The way I read the description, it seemed like the production metadata
>> that I'm downloading should already be using the SHA-2 code.
>
> See above. The production metadata aggregate *is* signed using SHA-256
> and your SSP software is apparently verifying the XML signature just
> fine.
>
>> The
>> webpage -
>> https://spaces.internet2.edu/display/InCCollaborate/Phase+1+Implementation+Plan
>> could use a little re-wording now that it's after 1/1/2014..
>
> Yes, I'll work on that, thanks.
>
>> --
>> Dan Schwartz | LTS - Systems and Networking | Lehigh University |
>>
>> | (610) 758-5061



Archive powered by MHonArc 2.6.16.

Top of Page