IdP3.2.1 metadata config and requireSignedRoot

Tom Scavo trscavo at
Tue Dec 22 13:21:33 EST 2015

On Tue, Dec 22, 2015 at 1:00 PM, Rich Graves <rgraves at> wrote:
> I trust that any error in my config will be corrected by a followup.
>         <MetadataProvider id="InCommonMD" xsi:type="FileBackedHTTPMetadataProvider"
>                           metadataURL=""
>                           backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata-dynamic.xml"
>                           refreshDelayFactor="0.125"
>                           httpCaching="memory"
>                           maxRefreshDelay="PT2H">
>             <MetadataFilter xsi:type="ChainingFilter">
>                 <MetadataFilter xsi:type="RequiredValidUntil"
>                                 maxValidityInterval="P14D" />
>                 <MetadataFilter xsi:type="SignatureValidation"
>                                 certificateFile="/opt/shibboleth-idp/credentials/inc-md-cert.pem"
>                                 requireSignedRoot="true" />
>                 <MetadataFilter xsi:type="EntityRoleWhiteList">
>                     <!-- This limits us to service providers only -->
>                     <RetainedRole>md:SPSSODescriptor</RetainedRole>
>                 </MetadataFilter>
>             </MetadataFilter>
>         </MetadataProvider>

I don't see any errors but I do have a few comments:

- What is the purpose of httpCaching="memory" for

- <MetadataFilter xsi:type="ChainingFilter"> is redundant. (Yes, I
know the wiki still shows an example like that.)

- Should you use %{idp.home} instead of "/opt/shibboleth-idp"?

- Of course I'm wondering about requireSignedRoot as well, but I'll
let the discussion thread go where it may.

Btw, is your JVM set to at least 1024MB of heap space? You will
definitely need that once InCommon starts importing eduGAIN metadata
on Feb 15.


More information about the users mailing list