InCommon metadata support

[Tom Scavo <>]

Hi Dyana,

On Fri, Mar 14, 2014 at 3:23 PM, Alvarez, Dyana I 
<>
 wrote:
>
> My name is Dyana Alvarez and I am a programmer for the University of Miami.
> We received this email and would like to know if there are any forums that 
> I can research in order to do this.
>
> We are running Shibboleth IDP 2.3.8 and Java version 1.6.
>
> We know that we need to do this on the IDP side:
>
> "If you are running Shibboleth IdP version 2.0 (or later), you are almost 
> certainly running Java 1.4.2 (or later). In that case, your software is 
> compatible with SHA-2 and you can migrate to the new production metadata 
> aggregate at your convenience (but no later than March 29, 2014)."

Yes, that is correct.

> And the option of having to "Securely download and install a copy of the 
> new metadata signing certificate."

Shibboleth completely ignores the certificate wrapper and uses only
the public key in the certificate. Since the metadata signing key has
not changed, that implies you do not need to download and install a
copy of the new metadata signing certificate (strictly speaking). That
said, we strongly suggest that you do. Detailed instructions are in
the wiki: https://spaces.internet2.edu/x/moHFAg

> First we will change our Relying-party.xml from 
> http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml to 
> http://md.incommon.org/InCommon/InCommon-metadata.xml
> As follow:
>
> <metadata:MetadataProvider id="URLMD_incommon"
>                         xsi:type="FileBackedHTTPMetadataProvider"
>                         maxRefreshDelay="PT8H"
>                         xmlns="urn:mace:shibboleth:2.0:metadata"
>                         metadataURL=" 
> http://md.incommon.org/InCommon/InCommon-metadata.xml";
>                         
> backingFile="c:\shibboleth-idpDev238/metadata/InCommon-metadata.xml">
>                                 <metadata:MetadataFilter 
> xsi:type="ChainingFilter">
>                                         <metadata:MetadataFilter 
> xsi:type="RequiredValidUntil" maxValidityInterval="2419200" />
>                                         <metadata:MetadataFilter 
> xsi:type="SignatureValidation" trustEngineRef="InCommonMetadataTrustEngine"
>                                         requireSignedMetadata="true"/>
>                                         <metadata:MetadataFilter 
> xsi:type="metadata:EntityRoleWhiteList">
>                         
> <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
>                         </metadata:MetadataFilter>
>                 </metadata:MetadataFilter>
>  </metadata:MetadataProvider>

That looks about right. I will refer you to the wiki for details:
https://spaces.internet2.edu/x/XAQjAQ

> Does the SP side need to do anything?

Yes, same as the IdP.

> We have 40+ SP's that run different platforms, (Linux, Windows).

Well, if you are using Shibboleth, we are pretty sure nothing will
break on March 29 since Shibboleth will handle the redirect that we
intend to put into place. That said, you should certainly migrate
those SPs if you can. Here's an algorithm you can use to quickly learn
where the issues might lie: https://spaces.internet2.edu/x/Y4DPAg

> It seems the windows SP should need to make changes to the Shibboleth2.xml 
> and change the URL there in Windows from
> http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml to 
> http://md.incommon.org/InCommon/InCommon-metadata.xml

Yes, see the Shibboleth Metadata Config wiki page I referenced
earlier. It shows how to configure both the IdP and SP.

> How do we know our version is a supported Shibboleth idP software?

Well, that's a question for the Shibboleth Project but I would be very
surprised if IdP 2.3.8 were no longer being supported by the Project.

Hope this helps,

Tom