metadata-support - [Metadata-Support] Questions about InCommon Metadata migration process
Subject: InCommon metadata support
List archive
- From: "Alvarez, Dyana I" <>
- To: "" <>
- Cc: "Alvarez, Dyana I" <>
- Subject: [Metadata-Support] Questions about InCommon Metadata migration process
- Date: Fri, 14 Mar 2014 19:23:51 +0000
- Accept-language: en-US
Hi,
My name is Dyana Alvarez and I am a programmer for the University of Miami.
We received this email and would like to know if there are any forums that I
can research in order to do this.
We are running Shibboleth IDP 2.3.8 and Java version 1.6.
We know that we need to do this on the IDP side:
"If you are running Shibboleth IdP version 2.0 (or later), you are almost
certainly running Java 1.4.2 (or later). In that case, your software is
compatible with SHA-2 and you can migrate to the new production metadata
aggregate at your convenience (but no later than March 29, 2014)."
And the option of having to "Securely download and install a copy of the new
metadata signing certificate."
First we will change our Relying-party.xml from
http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml to
http://md.incommon.org/InCommon/InCommon-metadata.xml
As follow:
<metadata:MetadataProvider id="URLMD_incommon"
xsi:type="FileBackedHTTPMetadataProvider"
maxRefreshDelay="PT8H"
xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="
http://md.incommon.org/InCommon/InCommon-metadata.xml"
backingFile="c:\shibboleth-idpDev238/metadata/InCommon-metadata.xml">
<metadata:MetadataFilter
xsi:type="ChainingFilter">
<metadata:MetadataFilter
xsi:type="RequiredValidUntil" maxValidityInterval="2419200" />
<metadata:MetadataFilter
xsi:type="SignatureValidation" trustEngineRef="InCommonMetadataTrustEngine"
requireSignedMetadata="true"/>
<metadata:MetadataFilter
xsi:type="metadata:EntityRoleWhiteList">
<metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
</metadata:MetadataFilter>
</metadata:MetadataFilter>
</metadata:MetadataProvider>
Does the SP side need to do anything? We have 40+ SP's that run different
platforms, (Linux, Windows).
It seems the windows SP should need to make changes to the Shibboleth2.xml
and change the URL there in Windows from
http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml to
http://md.incommon.org/InCommon/InCommon-metadata.xml
How do we know our version is a supported Shibboleth idP software?
Dyana Alvarez
Sr. Programmer
P: (305) 284-3521
-----Original Message-----
From: Kadiyala, Anil
Sent: Wednesday, March 12, 2014 8:50 PM
To: Alvarez, Dyana I
Subject: FW: [InCommon NOTICE] metadata migration process [ACTION REQUIRED]
Dyana, we need to discuss this change for the Incommon metadata tag in
relyingparty xml configuration file. May need to promote..
Thanks.
-----Original Message-----
From:
[mailto:]
On Behalf Of Tom Scavo
Sent: Wednesday, March 12, 2014 4:13 PM
To:
Subject: [InCommon NOTICE] metadata migration process [ACTION REQUIRED]
You are receiving this message because you are a site administrator or a
delegated administrator for the InCommon Federation. The following ACTION IS
REQUIRED: Migrate to one of the new metadata aggregates ASAP but no later
than March 29, 2014.
On March 29, 2014, the legacy metadata aggregate at location
http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
will be replaced with a redirect to the following new location:
http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml
The above fallback aggregate was introduced on December 18, 2013. At that
time, a new production metadata aggregate signed using the
SHA-256 digest algorithm was also introduced at the following
location:
http://md.incommon.org/InCommon/InCommon-metadata.xml
ACTION: Migrate to one of the new metadata aggregates ASAP but no later than
March 29, 2014! See: https://spaces.internet2.edu/x/YYDPAg
The new metadata aggregates are signed with the same trusted signing key that
we've always used but the corresponding signing certificate has been renewed.
Before you migrate to one of the new metadata aggregates, bootstrap your
secure metadata refresh process by obtaining an authentic copy of the new
metadata signing certificate.
See: https://spaces.internet2.edu/x/moHFAg
WARNING: If you are using the simpleSAMLphp software, you MUST migrate to one
of the new metadata aggregates by March 29, 2014, otherwise your metadata
refresh process will break! This is because simpleSAMLphp relies on the
fingerprint of the metadata signing certificate, rather than the public key
in the signing certificate.
Shibboleth deployments do not have the previous problem, but they have a
different problem, that is, some Shibboleth SP deployments are not able to
verify an XML signature that uses the SHA-256 digest algorithm. In that case,
you should migrate to the fallback aggregate, which will continue to use the
SHA-1 digest algorithm until June 30, 2014.
For more information: https://spaces.internet2.edu/x/YYDPAg
Questions? Join this mailing list:
https://lists.incommon.org/sympa/info/metadata-support
------------------------
InC-Ops-Notifications
This is a notification-only email list with an open subscription policy.
Anyone may join this list. For any questions regarding InCommon Operations,
please email
.
For any discussions with the community regarding issues related to
federation, please post to
If you are an official designated InCommon Site Administrator for your
organization, you MUST remain on this email list. The reason is that this
list is the primary means of notifying you regarding timely information that
could potentially affect the way your organization's systems operate in a
federated context.
Unsubscribing: To unsubscribe from this email list, send email to
with the subject: unsub inc-ops-notifications
Subscribing: To subscribe to this email list, send email to
with the subject: sub inc-ops-notifications
Alternatively, subscriptions can be managed at
https://lists.incommon.org/sympa/info/inc-ops-notifications
- [Metadata-Support] Questions about InCommon Metadata migration process, Alvarez, Dyana I, 03/14/2014
- Re: [Metadata-Support] Questions about InCommon Metadata migration process, Tom Scavo, 03/14/2014
- Re: [Metadata-Support] Questions about InCommon Metadata migration process, Cantor, Scott, 03/14/2014
- RE: [Metadata-Support] Questions about InCommon Metadata migration process, Alvarez, Dyana I, 03/17/2014
- Re: [Metadata-Support] Questions about InCommon Metadata migration process, Tom Scavo, 03/17/2014
- Re: [Metadata-Support] Questions about InCommon Metadata migration process, Cantor, Scott, 03/17/2014
- Re: [Metadata-Support] Questions about InCommon Metadata migration process, Tom Scavo, 03/17/2014
- <Possible follow-up(s)>
- Re: [Metadata-Support] Questions about InCommon Metadata migration process, Cantor, Scott, 03/14/2014
- Re: [Metadata-Support] Questions about InCommon Metadata migration process, Tom Scavo, 03/14/2014
Archive powered by MHonArc 2.6.16.