IdP3.2.1 metadata config and requireSignedRoot
Rich Graves
rgraves at carleton.edu
Tue Dec 22 13:00:17 EST 2015
This works for me. No guarantee that it's "best," but in the tradition of USENET, I trust that any error in my config will be corrected by a followup.
<MetadataProvider id="InCommonMD" xsi:type="FileBackedHTTPMetadataProvider"
metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml"
backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata-dynamic.xml"
refreshDelayFactor="0.125"
httpCaching="memory"
maxRefreshDelay="PT2H">
<MetadataFilter xsi:type="ChainingFilter">
<MetadataFilter xsi:type="RequiredValidUntil"
maxValidityInterval="P14D" />
<MetadataFilter xsi:type="SignatureValidation"
certificateFile="/opt/shibboleth-idp/credentials/inc-md-cert.pem"
requireSignedRoot="true" />
<MetadataFilter xsi:type="EntityRoleWhiteList">
<!-- This limits us to service providers only -->
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
</MetadataProvider>
More information about the users
mailing list