We use cookies to improve our website and your experience when using it. Cookies used for the essential operation of the site have already been set. To find out more about the cookies we use and how to delete them, see our Cookies Policy

Metadata configuration instructions for IDEM Federation, IDEM-test and eduGAIN

Index:

Shibboleth SP in IDEM Federation:

Configuring the NEW KEY - download the new metadata signing key from:
https://www.idem.garr.it/documenti/doc_download/321-idem-metadata-signer-2019

Verify its authenticity:

openssl x509 -in idem_signer_2019.pem -fingerprint -sha1 -noout
openssl x509 -in idem_signer_2019.pem -fingerprint -md5 -noout

with following values:

sha1: 2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8
md5: AA:A7:CD:41:2D:3E:B7:F6:02:8A:D3:62:CD:21:F7:DE

Store the key in /etc/shibboleth

Configure file permissions:
chmod 444 /etc/shibboleth/idem_signer_2019.pem

Configuring and verifying the metadata signature (SHA-256):

In /etc/shibboleth/shibboleth2.xml:

        <MetadataProvider type="XML"
                        uri="http://www.garr.it/idem-metadata/idem-metadata-sha256.xml"
                        backingFilePath="idem-metadata-sha256.xml">
                <MetadataFilter type="Signature" certificate="/etc/shibboleth/idem_signer_2019.pem"/>
        </MetadataProvider>

Shibboleth SP in IDEM-test Federation:

Configuring the NEW KEY - download the new metadata signing key from:
https://www.idem.garr.it/documenti/doc_download/321-idem-metadata-signer-2019

Verify its authenticity:

openssl x509 -in idem_signer_2019.pem -fingerprint -sha1 -noout
openssl x509 -in idem_signer_2019.pem -fingerprint -md5 -noout

with following values:

sha1: 2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8
md5: AA:A7:CD:41:2D:3E:B7:F6:02:8A:D3:62:CD:21:F7:DE

Store the key in /etc/shibboleth:

Configure file permissions:
chmod 444 /etc/shibboleth/idem_signer_2019.pem

Configuring and verifying the metadata signature (SHA-256):

In /etc/shibboleth/shibboleth2.xml:

        <MetadataProvider type="XML"
                        uri="http://www.garr.it/idem-metadata/idem-test-metadata-sha256.xml"
                        backingFilePath="idem-test-metadata-sha256.xml">
                <MetadataFilter type="Signature" certificate="/etc/shibboleth/idem_signer_2019.pem"/>
        </MetadataProvider>

Shibboleth SP IDEM Federation + eduGAIN (only for SP that made opt-in):

Configuring the NEW KEY - download the new metadata signing key from:
https://www.idem.garr.it/documenti/doc_download/321-idem-metadata-signer-2019

Verify its authenticity:

openssl x509 -in idem_signer_2019.pem -fingerprint -sha1 -noout
openssl x509 -in idem_signer_2019.pem -fingerprint -md5 -noout

Verify its authenticity:

sha1: 2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8
md5: AA:A7:CD:41:2D:3E:B7:F6:02:8A:D3:62:CD:21:F7:DE

Store the key in /etc/shibboleth:

Configure file permissions:
chmod 444 /etc/shibboleth/idem_signer_2019.pem

Configuring and verifiyng the metadata signature (SHA-256):

In /etc/shibboleth/shibboleth2.xml:

        <MetadataProvider type="XML"
                        uri="http://www.garr.it/idem-metadata/edugain2idem-metadata-sha256.xml"
                        backingFilePath="edugain2idem-metadata-sha256.xml">
                <MetadataFilter type="Signature" certificate="/etc/shibboleth/idem_signer_2019.pem"/>
        </MetadataProvider>

SimpleSAMLphp SP IDEM Federation:

Edit the file /opt/simplesamlphp/config/module_metarefresh.php

$config = array(
   'sets' => array(
      'idem' => array(
         'cron' => array('daily'),
         'sources' => array(
            array(
               'src' => 'http://www.garr.it/idem-metadata/idem-metadata-sha256.xml',
               'validateFingerprint' => '2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8',
               'template' => array(
                  'tags' => array('idem'),
                  'authproc' => array(
                     51 => array('class' => 'core:AttributeMap', 'oid2name'),
                  ),
               ),
            ),
         ),
         'expireAfter' => 60*60*24*5, // Maximum 5 days cache time.
         // The PATH here points to /opt/simplesamlphp
         'outputDir' => 'metadata/idem-federation/',
         /*
         * Which output format the metadata should be saved as.
         * Can be 'flatfile' or 'serialize'.
         * 'flatfile' is the default.
         */
         'outputFormat' => 'flatfile',
      ),
   ),
);

SimpleSAMLphp SP IDEM-test Federation:

Edit the file /opt/simplesamlphp/config/module_metarefresh.php

$config = array(
   'sets' => array(
      'idem' => array(
         'cron' => array('daily'),
         'sources' => array(
            array(
               'src' => 'http://www.garr.it/idem-metadata/idem-test-metadata-sha256.xml',
               'validateFingerprint' => '2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8',
               'template' => array(
                  'tags' => array('idem'),
                  'authproc' => array(
                     51 => array('class' => 'core:AttributeMap', 'oid2name'),
                  ),
               ),
            ),
         ),
         'expireAfter' => 60*60*24*5, // Maximum 5 days cache time.
         // The PATH here points to /opt/simplesamlphp
         'outputDir' => 'metadata/idem-federation/',
         /*
         * Which output format the metadata should be saved as.
         * Can be 'flatfile' or 'serialize'.
         * 'flatfile' is the default.
         */
         'outputFormat' => 'flatfile',
      ),
   ),
);

SimpleSAMLphp SP IDEM Federation + eduGAIN (only for SP that made opt-in):

Edit the file /opt/simplesamlphp/config/module_metarefresh.php:

$config = array(
   'sets' => array(
      'idem' => array(
         'cron' => array('daily'),
         'sources' => array(
            array(
               'src' => 'http://www.garr.it/idem-metadata/edugain2idem-metadata-sha256.xml',
               'validateFingerprint' => '2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8',
               'template' => array(
                  'tags' => array('idem'),
                  'authproc' => array(
                     51 => array('class' => 'core:AttributeMap', 'oid2name'),
                  ),
               ),
            ),
         ),
         'expireAfter' => 60*60*24*5, // Maximum 5 days cache time.
         // The PATH here points to /opt/simplesamlphp
         'outputDir' => 'metadata/idem-federation/',
         /*
         * Which output format the metadata should be saved as.
         * Can be 'flatfile' or 'serialize'.
         * 'flatfile' is the default.
         */
         'outputFormat' => 'flatfile',
      ),
   ),
);

Shibboleth IdP IDEM Federation:

Download metadata signing certificate
https://www.idem.garr.it/documenti/doc_download/321-idem-metadata-signer-2019

Verify the fingerprint of the certificate:
openssl x509 -in idem_signer_2019.pem -fingerprint -sha1 -noout
openssl x509 -in idem_signer_2019.pem -fingerprint -md5 -noout

with the following values:
sha1: 2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8
md5: AA:A7:CD:41:2D:3E:B7:F6:02:8A:D3:62:CD:21:F7:DE

Store the certificate idem_signer_2019.pem:
cp idem_signer_2019.pem /opt/shibboleth-idp/credentials
chmod 444 /opt/shibboleth-idp/credentials/idem_signer_2019.pem

For version v2: Update file relying-party.xml - section Metadata Configuration

<!-- *** IDEM prod *** -->
<MetadataProvider id="URLMD-idem" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
     metadataURL="http://www.garr.it/idem-metadata/idem-metadata-sha256.xml"
     backingFile="/opt/shibboleth-idp/metadata/idem-metadata-sha256.xml">
        <!-- altri attributi opzionali in -->
        <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider -->
        <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
                <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
                    trustEngineRef="shibboleth.MetadataTrustEngine"
                    requireSignedMetadata="true" />
        </MetadataFilter>
</MetadataProvider>
[...]
<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="IDEMCredentials" xsi:type="security:X509Filesystem"> 
                <security:Certificate>/opt/shibboleth-idp/credentials/idem_signer_2019.pem</security:Certificate>
        </security:Credential>
</security:TrustEngine>

For version v3: Update file metadata-providers.xml:

<MetadataProvider
id="URLMD-IDEM-Federation"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/idem-metadata-sha256.xml"
metadataURL="https://www.garr.it/idem-metadata/idem-metadata-sha256.xml">
<!--
Verify the signature on the root element of the metadata aggregate
using a trusted metadata signing certificate.
-->
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="${idp.home}/credentials/idem_signer_2019.pem"/>
<!--
Require a validUntil XML attribute on the root element and
make sure its value is no more than 14 days into the future.
-->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/>
<!-- Consume all SP metadata in the aggregate -->
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

Shibboleth IdP IDEM-test Federation:

Download the metadata signing certificate
https://www.idem.garr.it/documenti/doc_download/321-idem-metadata-signer-2019

Verify certificate fingerprint:
openssl x509 -in idem_signer_2019.pem -fingerprint -sha1 -noout
openssl x509 -in idem_signer_2019.pem -fingerprint -md5 -noout

with the following values:
sha1: 2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8
md5: AA:A7:CD:41:2D:3E:B7:F6:02:8A:D3:62:CD:21:F7:DE

Store the certificate idem_signer_2019.pem:
cp idem_signer_2019.pem /opt/shibboleth-idp/credentials
chmod 444 /opt/shibboleth-idp/credentials/idem_signer_2019.pem

For version v2: Update the file relying-party.xml - section Metadata Configuration

<!-- *** IDEM test*** -->
<MetadataProvider id="URLMD-idem-test" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
     metadataURL="http://www.garr.it/idem-metadata/idem-test-metadata-sha256.xml"
    backingFile="/opt/shibboleth-idp/metadata/idem-test-metadata-sha256.xml">
        <!-- altri attributi opzionali in -->
        <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider -->
        <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
                <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
                    trustEngineRef="shibboleth.MetadataTrustEngine"
                    requireSignedMetadata="true" />
        </MetadataFilter>
</MetadataProvider>
[...]
 
<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="IDEMCredentials" xsi:type="security:X509Filesystem"> 
                <security:Certificate>/opt/shibboleth-idp/credentials/idem_signer_2019.pem</security:Certificate>
        </security:Credential>
</security:TrustEngine>

For version v3: Update file metadata-providers.xml:

<MetadataProvider
id="URLMD-IDEM-Federation"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/idem-test-metadata-sha256.xml"
metadataURL="https://www.garr.it/idem-metadata/idem-test-metadata-sha256.xml">
<!--
Verify the signature on the root element of the metadata aggregate
using a trusted metadata signing certificate.
-->
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="${idp.home}/credentials/idem_signer_2019.pem"/>
<!--
Require a validUntil XML attribute on the root element and
make sure its value is no more than 14 days into the future.
-->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/>
<!-- Consume all SP metadata in the aggregate -->
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

Shibboleth IdP IDEM Federation + eduGAIN (only for IdP in eduGAIN):

Download metadata signing certificate
https://www.idem.garr.it/documenti/doc_download/321-idem-metadata-signer-2019

Verify certificate fingerprint:
openssl x509 -in idem_signer_2019.pem -fingerprint -sha1 -noout
openssl x509 -in idem_signer_2019.pem -fingerprint -md5 -noout

with the following values:
sha1: 2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8
md5: AA:A7:CD:41:2D:3E:B7:F6:02:8A:D3:62:CD:21:F7:DE

Store the certificate idem_signer_2019.pem:
cp idem_signer_2019.pem /opt/shibboleth-idp/credentials
chmod 444 /opt/shibboleth-idp/credentials/idem_signer_2019.pem

For version v2: Update the file relying-party.xml - section Metadata Configuration

<!-- *** IDEM eduGAIN*** -->
<MetadataProvider id="eduGAIN-MD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
    metadataURL="http://www.garr.it/idem-metadata/edugain2idem-metadata-sha256.xml"
    backingFile="/opt/shibboleth-idp/metadata/edugain2idem-metadata-sha256.xml">
        <!-- altri attributi opzionali in -->
        <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider -->
        <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
                <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
                    trustEngineRef="shibboleth.MetadataTrustEngine"
                    requireSignedMetadata="true" />
        </MetadataFilter>
</MetadataProvider>
[...]
<security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="IDEMCredentials" xsi:type="security:X509Filesystem"> 
                <security:Certificate>/opt/shibboleth-idp/credentials/idem_signer_2019.pem</security:Certificate>
        </security:Credential>
</security:TrustEngine>

For version v3: Update file metadata-providers.xml

<MetadataProvider
id="URLMD-IDEM-Federation"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/edugain2idem-metadata-sha256.xml"
metadataURL="https://www.garr.it/idem-metadata/edugain2idem-metadata-sha256.xml">
<!--
Verify the signature on the root element of the metadata aggregate
using a trusted metadata signing certificate.
-->
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="${idp.home}/credentials/idem_signer_2019.pem"/>
<!--
Require a validUntil XML attribute on the root element and
make sure its value is no more than 14 days into the future.
-->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/>
<!-- Consume all SP metadata in the aggregate -->
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

SimpleSAMLphp IdP IDEM Federation:

Edit the file /opt/simplesamlphp/config/module_metarefresh.php:

$config = array(
   'sets' => array(
      'idem' => array(
         'cron' => array('daily'),
         'sources' => array(
            array(
               'src' => 'http://www.garr.it/idem-metadata/idem-metadata-sha256.xml',
               'validateFingerprint' => '2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8',
               'template' => array(
                  'tags' => array('idem'),
                  'authproc' => array(
                     51 => array('class' => 'core:AttributeMap', 'oid2name'),
                  ),
               ),
            ),
         ),
         'expireAfter' => 60*60*24*5, // Maximum 5 days cache time.
         // The PATH here points to /opt/simplesamlphp
         'outputDir' => 'metadata/idem-federation/',
         /*
         * Which output format the metadata should be saved as.
         * Can be 'flatfile' or 'serialize'.
         * 'flatfile' is the default.
         */
         'outputFormat' => 'flatfile',
      ),
   ),
);

SimpleSAMLphp IdP IDEM-test Federation:

Edit the file /opt/simplesamlphp/config/module_metarefresh.php:

$config = array(
   'sets' => array(
      'idem' => array(
         'cron' => array('daily'),
         'sources' => array(
            array(
               'src' => 'http://www.garr.it/idem-metadata/idem-test-metadata-sha256.xml',
               'validateFingerprint' => '2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8',
               'template' => array(
                  'tags' => array('idem'),
                  'authproc' => array(
                     51 => array('class' => 'core:AttributeMap', 'oid2name'),
                  ),
               ),
            ),
         ),
         'expireAfter' => 60*60*24*5, // Maximum 5 days cache time.
         // The PATH here points to /opt/simplesamlphp
         'outputDir' => 'metadata/idem-federation/',
         /*
         * Which output format the metadata should be saved as.
         * Can be 'flatfile' or 'serialize'.
         * 'flatfile' is the default.
         */
         'outputFormat' => 'flatfile',
      ),
   ),
);

SimpleSAMLphp IdP IDEM Federation + eduGAIN (only for IdP included in eduGAIN):

Edit thel file /opt/simplesamlphp/config/module_metarefresh.php:

$config = array(
   'sets' => array(
      'idem' => array(
         'cron' => array('daily'),
         'sources' => array(
            array(
               'src' => 'http://www.garr.it/idem-metadata/edugain2idem-metadata-sha256.xml',
               'validateFingerprint' => '2F:F8:24:78:6A:A9:2D:91:29:19:2F:7B:33:33:FF:59:45:C1:7C:C8',
               'template' => array(
                  'tags' => array('idem'),
                  'authproc' => array(
                     51 => array('class' => 'core:AttributeMap', 'oid2name'),
                  ),
               ),
            ),
         ),
         'expireAfter' => 60*60*24*5, // Maximum 5 days cache time.
         // The PATH here points to /opt/simplesamlphp
         'outputDir' => 'metadata/idem-federation/',
         /*
         * Which output format the metadata should be saved as.
         * Can be 'flatfile' or 'serialize'.
         * 'flatfile' is the default.
         */
         'outputFormat' => 'flatfile',
      ),
   ),
);

Tutti articoli tecnici