Configure a Shibboleth SP to Use the InCommon Metadata Aggregate File

Last updated: May 31, 2024
Audience: IT Staff / Technical

This document describes how to configure a Shibboleth Service Provider (SP) to download the InCommon IdP-only metadata aggregate file and verify the digital signature. To learn about other options to consume UW IdP metadata, see UW IdP Metadata.

Configuration

Configuration Steps

  1. Open your shibboleth2.xml file for editing.
  2. Find the section with MetadataProvider elements.
  3. Add the following MetadataProvider:
    <MetadataProvider type="XML" url="https://mdq.incommon.org/entities/idps/all"
    backingFilePath="inc-idp-metadata.xml" reloadInterval="7200">
    <MetadataFilter type="Signature" certificate="inc-cert.pem"/>
    </MetadataProvider>
  4. The MetadataFilter element says that the signature on inc-idp-metadata.xml should be verified using the inc-cert.pem certificate.
  5. If you have configured a MetadataProvider for the InCommon MDQ service or for the local UW IdP metadata endpoint, you should comment it out or delete it.
  6. Save your shibboleth2.xml file.

  1. The InCommon signing certificate can be downloaded at https://spaces.at.internet2.edu/display/MDQ/production+metadata+signing+key.
  2. Save the certificate file in the same directory as your shibboleth2.xml file. Name it something like inc-cert.pem.

  1. Restart the shibd process on your SP however you normally do that on your platform.
  2. This will cause Shibboleth to check the MetadataProvider locations and to download any updates. Shibboleth will also verify the digital signatures on any metadata where it is configured to do so.

  1. The restart of shibd, reloading of metadata, and signature verification should all be recorded in shibd.log.
  2. Open the log file and scroll to near the bottom of the file to find messages from the shibd restart.
  3. Look for messages like the following (numbering added for clarity, these are not present in the log file):
    12018-03-23 12:05:16 INFO OpenSAML.Metadata.Chaining : building MetadataProvider of type XML
    22018-03-23 12:05:16 INFO OpenSAML.Metadata : building MetadataFilter of type Signature
    32018-03-23 12:05:16 INFO XMLTooling.SecurityHelper : loading certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/inc-cert.pem)
    42018-03-23 12:05:16 INFO XMLTooling.CredentialResolver.File : no private key resolved, usable for verification/trust only
    52018-03-23 12:05:17 INFO OpenSAML.Metadata.XML : loaded XML resource (https://mdq.incommon.org/entities/idps/all)
    62018-03-23 12:05:17 INFO OpenSAML.Metadata : applying metadata filter (Signature)
    72018-03-23 12:05:17 INFO OpenSAML.Metadata.XML : adjusted reload interval to 7200 seconds
    82018-03-23 12:05:17 INFO OpenSAML.Metadata.XML : reload thread started...running every 7200 seconds
  4. Message #3 indicates that the certificate file on disk was successfully loaded.
  5. Message #5 indicates that the InCommon IdP-only metadata aggregate file was successfully loaded.
  6. Message #6 indicates that the signature on the metadata file was successfully verified.
  7. If instead you see warning or errors for these entries, go back and verify you have followed these instructions.