Dear Italy-IDEM Federation Participants,
according to the new standards and security assessment/upgrade, and the inter-federation agreements, in order to reach a higher security standard level and a major inter-operability between federations, Italy-IDEM Federation set a new distribution system for its Federation metadata.
In the meantime we have a new metadata signing key, due to the expiration of the metadata signing certificate in use.
New certificate available at https://www.idem.garr.it/documenti/doc_download/321-idem-metadata-signer-2019
1- Idem Federation metadata will be distributed in four different forms:
a) with SHA-256 hash signed
b) with SHA-1 hash signed (NEW key). Please keep in mind that SHA-1 is becoming obsolete during the current year (2014), so you are kindly asked to upgrade your systems as soon as possible.
c) with SHA-1 hash signed (OLD key, expiring on the 17th of April 2014). Please keep in mind that SHA-1 is becoming obsolete during the current year (2014), so you are kindly asked to upgrade your systems as soon as possible.
d) not signed available only until the 15th of January 2015
The new locations of Italy-IDEM metadata are:
Italy-IDEM Federation (Production):
http://www.garr.it/idem-metadata/idem-metadata-sha256.xml (NEW key, SHA-256)
http://www.garr.it/idem-metadata/idem-metadata-sha1.xml (NEW key, SHA-1)
https://www.idem.garr.it/docs/conf/signed-metadata.xml (OLD key, sha-1, until 17/Apr/2014)
https://www.idem.garr.it/docs/conf/idem-metadata.xml (NOT signed, until 15/Jan/2015)
http://www.garr.it/idem-metadata/idem-test-metadata-sha256.xml (NEW key, SHA-256)
http://www.garr.it/idem-metadata/idem-test-metadata-sha1.xml (NEW key, SHA-1)
https://www.idem.garr.it/docs/conf/signed-test-metadata.xml (OLD key, SHA-1, until 17/Apr/2014)
https://www.idem.garr.it/docs/conf/idem-test-metadata.xml (NOT signed, until 15/Jan/2015)
Only for entities with eduGAIN opt-in:
http://www.garr.it/idem-metadata/edugain2idem-metadata-sha256.xml (NEW key, SHA-256)
http://www.garr.it/idem-metadata/edugain2idem-metadata-sha1.xml (NEW key, SHA-1)
Recommendations of usage:
- SAML2 (Shibboleth 2.x) resources MUST use SHA-256
- SAML1 (Shibboleth 1.x) resources MUST use SHA-1 (but it is STRONGLY RECOMMENDED to upgrade to shib2 and sha-256)
- Those resources using not_signed metadata are kindly asked to use a signed version, MANDATORY from the 15th of January 2015.
You can find some configuration guide at the following URL:
Thank you very much for your attention, regards