Skip to Content.
Sympa Menu

metadata-support - [Metadata-Support] Re: [InCommon NOTICE] Fwd: metadata migration in progress [ACTION REQUIRED]

Subject: InCommon metadata support

List archive

[Metadata-Support] Re: [InCommon NOTICE] Fwd: metadata migration in progress [ACTION REQUIRED]


Chronological Thread 
  • From: Tom Scavo <>
  • To: Michael Skafidas <>
  • Cc: Tom Scavo <>, "" <>
  • Subject: [Metadata-Support] Re: [InCommon NOTICE] Fwd: metadata migration in progress [ACTION REQUIRED]
  • Date: Wed, 25 Jun 2014 10:53:15 -0400

[Michael, please subscribe to metadata-support for followups (see the
link at the bottom of this message)]

On Wed, Jun 25, 2014 at 10:39 AM, Michael Skafidas
<>
wrote:
> Sorry but we are not clear if any changes need to made on our part,
> since we make changes to the IDP very infrequently. We are using
> http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml

That resource no longer exists. A redirect was put in its place on
March 31st, so you need to migrate.

> This is a snippet from our relying-party.xml
>
> <MetadataProvider id="incommon-metadata"
> xsi:type="FileBackedHTTPMetadataProvider"
> xmlns="urn:mace:shibboleth:2.0:metadata"
>
> metadataURL="http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml";
>
> backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata.xml">
> <MetadataFilter xsi:type="ChainingFilter"
> xmlns="urn:mace:shibboleth:2.0:metadata">
> <!--
> <MetadataFilter xsi:type="RequiredValidUntil"
> xmlns="urn:mace:shibboleth:2.0:metadata"
> maxValidityInterval="604800" />
> -->
> <MetadataFilter xsi:type="SignatureValidation"
> xmlns="urn:mace:shibboleth:2.0:metadata"
>
> trustEngineRef="shibboleth.MetadataTrustEngine"
> requireSignedMetadata="true" />
> <MetadataFilter xsi:type="EntityRoleWhiteList"
> xmlns="urn:mace:shibboleth:2.0:metadata">
> <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
> </MetadataFilter>
> </MetadataFilter>
> </MetadataProvider>

Compare that config with the recommended config:
https://spaces.internet2.edu/x/XAQjAQ

Hope this helps,

Tom

> On 6/25/14, 9:39 AM, Tom Scavo wrote:
>> LAST CALL: The fallback metadata aggregate will be synced with the
>> production metadata aggregate on Monday, June 30, 2014. To avoid a
>> forced migration to metadata signed with SHA-256 digest algorithm, all
>> deployments should migrate to the production metadata aggregate ASAP
>> but no later than June 30, 2014. Please see the message below for
>> details.
>>
>>
>> ---------- Forwarded message ----------
>> From: Tom Scavo
>> <>
>> Date: Mon, May 5, 2014 at 11:46 AM
>> Subject: metadata migration in progress [ACTION REQUIRED]
>> To:
>>
>>
>>
>> You are receiving this message because you are a Site Administrator
>> for the InCommon Federation. Your IMMEDIATE ACTION may be required.
>>
>> EVENT: On June 30, 2014, the fallback metadata aggregate will be
>> synced with the production metadata aggregate; that is, after June 30,
>> all metadata aggregates published by the InCommon Federation will be
>> signed using the SHA-256 digest algorithm.
>>
>> OUTCOME: All deployments must be able to verify an XML signature that
>> uses a SHA-256 digest algorithm by June 30, 2014.
>>
>> ACTION: If your SAML deployment is currently consuming the fallback
>> metadata aggregate, migrate to either the production metadata
>> aggregate or the preview metadata aggregate ASAP but no later than
>> June 30, 2014.
>>
>> The legacy metadata aggregate was replaced by a redirect to the
>> fallback metadata aggregate on March 31, 2014. Consequently, every
>> deployment in the InCommon Federation is consuming one of the
>> following metadata aggregates:
>>
>> * http://md.incommon.org/InCommon/InCommon-metadata.xml (production)
>> * http://md.incommon.org/InCommon/InCommon-metadata-fallback.xml (fallback)
>> * http://md.incommon.org/InCommon/InCommon-metadata-preview.xml (preview)
>>
>> The production and preview aggregates are signed using the SHA-256
>> digest algorithm. The fallback aggregate is signed using the SHA-1
>> digest algorithm.
>>
>> For more info about metadata aggregates:
>> https://spaces.internet2.edu/x/SoG8Ag
>>
>> If your SAML deployment is currently consuming the fallback metadata
>> aggregate, migrate to either the production metadata aggregate or the
>> preview metadata aggregate by June 30th. This will ensure that your
>> deployment is compatible with SHA-256. If you do not migrate, your
>> metadata consumption process may stop working on June 30th.
>>
>> For more info about the metadata migration process:
>> https://spaces.internet2.edu/x/YYDPAg
>>
>> Questions? Join this mailing list:
>> https://lists.incommon.org/sympa/info/metadata-support
>>
>> -----
>> InCommon Operations
>
>



Archive powered by MHonArc 2.6.16.

Top of Page