InCommon metadata support

["Alvarez, Dyana I" <>]

Hi,

I appreciate all your help.
I have some questions on the step to " Securely download and install a copy 
of the new metadata signing certificate".
We looked at the Wiki https://spaces.internet2.edu/x/moHFAg and were able to 
download the copy and put in our certificates location 
(\credentials\incommon.pem).
However step 2, we are not so sure because it's for Linux.  Do you have 
instructions for Windows?
We are running Windows Server 2003 SP 2 Standard Edition. 

We only have instructions for Linux as follow:

# Step 2: Compute the SHA-1 and SHA-256 fingerprints of the metadata signing 
certificate $ /bin/cat $MD_CERT_PATH | /usr/bin/openssl x509 -sha1 -noout 
-fingerprint SHA1 
Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD $ 
/bin/cat $MD_CERT_PATH | /usr/bin/openssl x509 -sha256 -noout -fingerprint 
SHA256 
Fingerprint=2F:9D:9A:A1:FE:D1:92:F0:64:A8:C6:31:5D:39:FA:CF:1E:08:84:0D:27:21:F3:31:B1:70:A5:2B:88:81:9F:5B

We could perform the above step in a Linux environment but it won't be our 
IdP (Windows).
What do you recommend?

Have a good day, 

Dyana Alvarez
Sr. Programmer
P: (305) 284-3521


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Friday, March 14, 2014 4:47 PM
To: 

Cc: Alvarez, Dyana I
Subject: Re: [Metadata-Support] Questions about InCommon Metadata migration 
process

Hi Dyana,

On Fri, Mar 14, 2014 at 3:23 PM, Alvarez, Dyana I 
<>
 wrote:
>
> My name is Dyana Alvarez and I am a programmer for the University of Miami.
> We received this email and would like to know if there are any forums that 
> I can research in order to do this.
>
> We are running Shibboleth IDP 2.3.8 and Java version 1.6.
>
> We know that we need to do this on the IDP side:
>
> "If you are running Shibboleth IdP version 2.0 (or later), you are almost 
> certainly running Java 1.4.2 (or later). In that case, your software is 
> compatible with SHA-2 and you can migrate to the new production metadata 
> aggregate at your convenience (but no later than March 29, 2014)."

Yes, that is correct.

> And the option of having to "Securely download and install a copy of the 
> new metadata signing certificate."

Shibboleth completely ignores the certificate wrapper and uses only the 
public key in the certificate. Since the metadata signing key has not 
changed, that implies you do not need to download and install a copy of the 
new metadata signing certificate (strictly speaking). That said, we strongly 
suggest that you do. Detailed instructions are in the wiki: 
https://spaces.internet2.edu/x/moHFAg

> First we will change our Relying-party.xml from 
> http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml to 
> http://md.incommon.org/InCommon/InCommon-metadata.xml
> As follow:
>
> <metadata:MetadataProvider id="URLMD_incommon"
>                         xsi:type="FileBackedHTTPMetadataProvider"
>                         maxRefreshDelay="PT8H"
>                         xmlns="urn:mace:shibboleth:2.0:metadata"
>                         metadataURL=" 
> http://md.incommon.org/InCommon/InCommon-metadata.xml";
>                         
> backingFile="c:\shibboleth-idpDev238/metadata/InCommon-metadata.xml">
>                                 <metadata:MetadataFilter 
> xsi:type="ChainingFilter">
>                                         <metadata:MetadataFilter 
> xsi:type="RequiredValidUntil" maxValidityInterval="2419200" />
>                                         <metadata:MetadataFilter 
> xsi:type="SignatureValidation" trustEngineRef="InCommonMetadataTrustEngine"
>                                         requireSignedMetadata="true"/>
>                                         <metadata:MetadataFilter 
> xsi:type="metadata:EntityRoleWhiteList">
>                         
> <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
>                         </metadata:MetadataFilter>
>                 </metadata:MetadataFilter>  
> </metadata:MetadataProvider>

That looks about right. I will refer you to the wiki for details:
https://spaces.internet2.edu/x/XAQjAQ

> Does the SP side need to do anything?

Yes, same as the IdP.

> We have 40+ SP's that run different platforms, (Linux, Windows).

Well, if you are using Shibboleth, we are pretty sure nothing will break on 
March 29 since Shibboleth will handle the redirect that we intend to put into 
place. That said, you should certainly migrate those SPs if you can. Here's 
an algorithm you can use to quickly learn where the issues might lie: 
https://spaces.internet2.edu/x/Y4DPAg

> It seems the windows SP should need to make changes to the 
> Shibboleth2.xml and change the URL there in Windows from 
> http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml to 
> http://md.incommon.org/InCommon/InCommon-metadata.xml

Yes, see the Shibboleth Metadata Config wiki page I referenced earlier. It 
shows how to configure both the IdP and SP.

> How do we know our version is a supported Shibboleth idP software?

Well, that's a question for the Shibboleth Project but I would be very 
surprised if IdP 2.3.8 were no longer being supported by the Project.

Hope this helps,

Tom