IdP3.2.1 metadata config and requireSignedRoot
Tom Scavo
trscavo at gmail.com
Tue Dec 22 13:21:33 EST 2015
On Tue, Dec 22, 2015 at 1:00 PM, Rich Graves <rgraves at carleton.edu> wrote:
> I trust that any error in my config will be corrected by a followup.
>
> <MetadataProvider id="InCommonMD" xsi:type="FileBackedHTTPMetadataProvider"
> metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml"
> backingFile="/opt/shibboleth-idp/metadata/InCommon-metadata-dynamic.xml"
> refreshDelayFactor="0.125"
> httpCaching="memory"
> maxRefreshDelay="PT2H">
> <MetadataFilter xsi:type="ChainingFilter">
> <MetadataFilter xsi:type="RequiredValidUntil"
> maxValidityInterval="P14D" />
> <MetadataFilter xsi:type="SignatureValidation"
> certificateFile="/opt/shibboleth-idp/credentials/inc-md-cert.pem"
> requireSignedRoot="true" />
> <MetadataFilter xsi:type="EntityRoleWhiteList">
> <!-- This limits us to service providers only -->
> <RetainedRole>md:SPSSODescriptor</RetainedRole>
> </MetadataFilter>
> </MetadataFilter>
> </MetadataProvider>
I don't see any errors but I do have a few comments:
- What is the purpose of httpCaching="memory" for
FileBackedHTTPMetadataProvider?
- <MetadataFilter xsi:type="ChainingFilter"> is redundant. (Yes, I
know the wiki still shows an example like that.)
- Should you use %{idp.home} instead of "/opt/shibboleth-idp"?
- Of course I'm wondering about requireSignedRoot as well, but I'll
let the discussion thread go where it may.
Btw, is your JVM set to at least 1024MB of heap space? You will
definitely need that once InCommon starts importing eduGAIN metadata
on Feb 15.
Tom
More information about the users
mailing list