Skip to Content.
Sympa Menu

metadata-support - RE: [Metadata-Support] Questions about InCommon Metadata migration process

Subject: InCommon metadata support

List archive

RE: [Metadata-Support] Questions about InCommon Metadata migration process


Chronological Thread 
  • From: "Alvarez, Dyana I" <>
  • To: Tom Scavo <>, "" <>
  • Subject: RE: [Metadata-Support] Questions about InCommon Metadata migration process
  • Date: Mon, 17 Mar 2014 14:25:09 +0000
  • Accept-language: en-US

Hi,

I appreciate all your help.
I have some questions on the step to " Securely download and install a copy
of the new metadata signing certificate".
We looked at the Wiki https://spaces.internet2.edu/x/moHFAg and were able to
download the copy and put in our certificates location
(\credentials\incommon.pem).
However step 2, we are not so sure because it's for Linux. Do you have
instructions for Windows?
We are running Windows Server 2003 SP 2 Standard Edition.

We only have instructions for Linux as follow:

# Step 2: Compute the SHA-1 and SHA-256 fingerprints of the metadata signing
certificate $ /bin/cat $MD_CERT_PATH | /usr/bin/openssl x509 -sha1 -noout
-fingerprint SHA1
Fingerprint=7D:B4:BB:28:D3:D5:C8:52:E0:80:B3:62:43:2A:AF:34:B2:A6:0E:DD $
/bin/cat $MD_CERT_PATH | /usr/bin/openssl x509 -sha256 -noout -fingerprint
SHA256
Fingerprint=2F:9D:9A:A1:FE:D1:92:F0:64:A8:C6:31:5D:39:FA:CF:1E:08:84:0D:27:21:F3:31:B1:70:A5:2B:88:81:9F:5B

We could perform the above step in a Linux environment but it won't be our
IdP (Windows).
What do you recommend?

Have a good day,

Dyana Alvarez
Sr. Programmer
P: (305) 284-3521


-----Original Message-----
From:


[mailto:]
On Behalf Of Tom Scavo
Sent: Friday, March 14, 2014 4:47 PM
To:

Cc: Alvarez, Dyana I
Subject: Re: [Metadata-Support] Questions about InCommon Metadata migration
process

Hi Dyana,

On Fri, Mar 14, 2014 at 3:23 PM, Alvarez, Dyana I
<>
wrote:
>
> My name is Dyana Alvarez and I am a programmer for the University of Miami.
> We received this email and would like to know if there are any forums that
> I can research in order to do this.
>
> We are running Shibboleth IDP 2.3.8 and Java version 1.6.
>
> We know that we need to do this on the IDP side:
>
> "If you are running Shibboleth IdP version 2.0 (or later), you are almost
> certainly running Java 1.4.2 (or later). In that case, your software is
> compatible with SHA-2 and you can migrate to the new production metadata
> aggregate at your convenience (but no later than March 29, 2014)."

Yes, that is correct.

> And the option of having to "Securely download and install a copy of the
> new metadata signing certificate."

Shibboleth completely ignores the certificate wrapper and uses only the
public key in the certificate. Since the metadata signing key has not
changed, that implies you do not need to download and install a copy of the
new metadata signing certificate (strictly speaking). That said, we strongly
suggest that you do. Detailed instructions are in the wiki:
https://spaces.internet2.edu/x/moHFAg

> First we will change our Relying-party.xml from
> http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml to
> http://md.incommon.org/InCommon/InCommon-metadata.xml
> As follow:
>
> <metadata:MetadataProvider id="URLMD_incommon"
> xsi:type="FileBackedHTTPMetadataProvider"
> maxRefreshDelay="PT8H"
> xmlns="urn:mace:shibboleth:2.0:metadata"
> metadataURL="
> http://md.incommon.org/InCommon/InCommon-metadata.xml";
>
> backingFile="c:\shibboleth-idpDev238/metadata/InCommon-metadata.xml">
> <metadata:MetadataFilter
> xsi:type="ChainingFilter">
> <metadata:MetadataFilter
> xsi:type="RequiredValidUntil" maxValidityInterval="2419200" />
> <metadata:MetadataFilter
> xsi:type="SignatureValidation" trustEngineRef="InCommonMetadataTrustEngine"
> requireSignedMetadata="true"/>
> <metadata:MetadataFilter
> xsi:type="metadata:EntityRoleWhiteList">
>
> <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
> </metadata:MetadataFilter>
> </metadata:MetadataFilter>
> </metadata:MetadataProvider>

That looks about right. I will refer you to the wiki for details:
https://spaces.internet2.edu/x/XAQjAQ

> Does the SP side need to do anything?

Yes, same as the IdP.

> We have 40+ SP's that run different platforms, (Linux, Windows).

Well, if you are using Shibboleth, we are pretty sure nothing will break on
March 29 since Shibboleth will handle the redirect that we intend to put into
place. That said, you should certainly migrate those SPs if you can. Here's
an algorithm you can use to quickly learn where the issues might lie:
https://spaces.internet2.edu/x/Y4DPAg

> It seems the windows SP should need to make changes to the
> Shibboleth2.xml and change the URL there in Windows from
> http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml to
> http://md.incommon.org/InCommon/InCommon-metadata.xml

Yes, see the Shibboleth Metadata Config wiki page I referenced earlier. It
shows how to configure both the IdP and SP.

> How do we know our version is a supported Shibboleth idP software?

Well, that's a question for the Shibboleth Project but I would be very
surprised if IdP 2.3.8 were no longer being supported by the Project.

Hope this helps,

Tom



Archive powered by MHonArc 2.6.16.

Top of Page