InCommon metadata support

["Alvarez, Dyana I" <>]

Hi,

My name is Dyana Alvarez and I am a programmer for the University of Miami.
We received this email and would like to know if there are any forums that I 
can research in order to do this.

We are running Shibboleth IDP 2.3.8 and Java version 1.6.

We know that we need to do this on the IDP side:

"If you are running Shibboleth IdP version 2.0 (or later), you are almost 
certainly running Java 1.4.2 (or later). In that case, your software is 
compatible with SHA-2 and you can migrate to the new production metadata 
aggregate at your convenience (but no later than March 29, 2014)."

And the option of having to "Securely download and install a copy of the new 
metadata signing certificate."

First we will change our Relying-party.xml from 
http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml to 
http://md.incommon.org/InCommon/InCommon-metadata.xml
As follow:

<metadata:MetadataProvider id="URLMD_incommon"
                        xsi:type="FileBackedHTTPMetadataProvider"
                        maxRefreshDelay="PT8H"
                        xmlns="urn:mace:shibboleth:2.0:metadata"
                        metadataURL=" 
http://md.incommon.org/InCommon/InCommon-metadata.xml";
                        
backingFile="c:\shibboleth-idpDev238/metadata/InCommon-metadata.xml">
                                <metadata:MetadataFilter 
xsi:type="ChainingFilter">
                                        <metadata:MetadataFilter 
xsi:type="RequiredValidUntil" maxValidityInterval="2419200" />
                                        <metadata:MetadataFilter 
xsi:type="SignatureValidation" trustEngineRef="InCommonMetadataTrustEngine"
                                        requireSignedMetadata="true"/>
                                        <metadata:MetadataFilter 
xsi:type="metadata:EntityRoleWhiteList">
                        
<metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
                        </metadata:MetadataFilter>
                </metadata:MetadataFilter>
 </metadata:MetadataProvider>

Does the SP side need to do anything? We have 40+ SP's that run different 
platforms, (Linux, Windows). 
It seems the windows SP should need to make changes to the Shibboleth2.xml 
and change the URL there in Windows from 
http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml to 
http://md.incommon.org/InCommon/InCommon-metadata.xml

How do we know our version is a supported Shibboleth idP software?


Dyana Alvarez
Sr. Programmer
P: (305) 284-3521


-----Original Message-----
From: Kadiyala, Anil 
Sent: Wednesday, March 12, 2014 8:50 PM
To: Alvarez, Dyana I
Subject: FW: [InCommon NOTICE] metadata migration process [ACTION REQUIRED]

Dyana, we need to discuss this change for the Incommon metadata tag in 
relyingparty xml configuration file. May need to promote..
Thanks.

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Wednesday, March 12, 2014 4:13 PM
To: 

Subject: [InCommon NOTICE] metadata migration process [ACTION REQUIRED]

You are receiving this message because you are a site administrator or a 
delegated administrator for the InCommon Federation. The following ACTION IS 
REQUIRED: Migrate to one of the new metadata aggregates ASAP but no later 
than March 29, 2014.

On March 29, 2014, the legacy metadata aggregate at location

http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml

will be replaced with a redirect to the following new location:

http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml

The above fallback aggregate was introduced on December 18, 2013. At that 
time, a new production metadata aggregate signed using the
SHA-256 digest algorithm was also introduced at the following
location:

http://md.incommon.org/InCommon/InCommon-metadata.xml

ACTION: Migrate to one of the new metadata aggregates ASAP but no later than 
March 29, 2014! See: https://spaces.internet2.edu/x/YYDPAg

The new metadata aggregates are signed with the same trusted signing key that 
we've always used but the corresponding signing certificate has been renewed. 
Before you migrate to one of the new metadata aggregates, bootstrap your 
secure metadata refresh process by obtaining an authentic copy of the new 
metadata signing certificate.
See: https://spaces.internet2.edu/x/moHFAg

WARNING: If you are using the simpleSAMLphp software, you MUST migrate to one 
of the new metadata aggregates by March 29, 2014, otherwise your metadata 
refresh process will break! This is because simpleSAMLphp relies on the 
fingerprint of the metadata signing certificate, rather than the public key 
in the signing certificate.

Shibboleth deployments do not have the previous problem, but they have a 
different problem, that is, some Shibboleth SP deployments are not able to 
verify an XML signature that uses the SHA-256 digest algorithm. In that case, 
you should migrate to the fallback aggregate, which will continue to use the 
SHA-1 digest algorithm until June 30, 2014.

For more information: https://spaces.internet2.edu/x/YYDPAg

Questions? Join this mailing list:
https://lists.incommon.org/sympa/info/metadata-support

------------------------
InC-Ops-Notifications

This is a notification-only email list with an open subscription policy. 
Anyone may join this list. For any questions regarding InCommon Operations, 
please email 
.
 For any discussions with the community regarding issues related to 
federation, please post to 


If you are an official designated InCommon Site Administrator for your 
organization, you MUST remain on this email list. The reason is that this 
list is the primary means of notifying you regarding timely information that 
could potentially affect the way your organization's systems operate in a 
federated context.

Unsubscribing: To unsubscribe from this email list, send email to 

 with the subject: unsub inc-ops-notifications

Subscribing: To subscribe to this email list, send email to 

 with the subject: sub inc-ops-notifications

Alternatively, subscriptions can be managed at 
https://lists.incommon.org/sympa/info/inc-ops-notifications