This document describes how to configure a Shibboleth Service Provider (SP) to download the UW Identity Provider (IdP) local metadata file and, optionally, verify the digital signature. To learn about other options to consume UW IdP metadata, see UW IdP Metadata.
Configuration
Configuration
- Open your
shibboleth2.xml
file for editing. - Find the section with
MetadataProvider
elements. - Add the following
MetadataProvider
:<MetadataProvider type=
"XML"
url=
"https://idp.u.washington.edu/metadata/idp-metadata.xml"
backingFilePath=
"idp-metadata.xml"
reloadInterval=
"7200"
>
<MetadataFilter type=
"Signature"
certificate=
"uw-idp-md-cert.pem"
/>
</MetadataProvider>
- The
MetadataFilter
element says that the signature onidp-metadata.xml
should be verified using theuw-idp-md-cert.pem
certificate. - If you don’t intend to validate the signature, omit the
MetadataFilter
element. - If you have configured a
MetadataProvider
for the InCommon metadata aggregate or MDQ, you should comment it out or delete it. - Save your shibboleth2.xml file.
- Complete these steps if your SP will verify the digital signature on UW metadata.
- Download and save the UW IdP signing certificate file in the same directory as your
shibboleth2.xml
file. Name it something likeuw-idp-md-cert.pem
. - This signing certificate is identical to the one included in the UW section of the InCommon metadata aggregate.
- Restart the shibd process on your SP however you normally do that on your platform.
- This will cause Shibboleth to check the
MetadataProvider
locations and to download any updates. Shibboleth will also verify the digital signatures on any metadata where it is configured to do so.
- The restart of shibd, reloading of metadata, and signature verification should all be recorded in
shibd.log
. - Open the log file and scroll to near the bottom of the file to find messages from the shibd restart.
- Look for messages like the following (numbering added for clarity, these are not present in the log file):
1
.
2018
-
03
-
23
12
:
05
:
16
INFO OpenSAML.Metadata.Chaining : building MetadataProvider of type XML
2
.
2018
-
03
-
23
12
:
05
:
16
INFO OpenSAML.Metadata : building MetadataFilter of type Signature
3
.
2018
-
03
-
23
12
:
05
:
16
INFO XMLTooling.SecurityHelper : loading certificate(s) from file (C:/opt/shibboleth-sp/etc/shibboleth/uw-idp-md-cert.pem)
4
.
2018
-
03
-
23
12
:
05
:
16
INFO XMLTooling.CredentialResolver.File : no
private
key resolved, usable
for
verification/trust only
5
.
2018
-
03
-
23
12
:
05
:
17
INFO OpenSAML.Metadata.XML : loaded XML resource (https:
//idp.u.washington.edu/metadata/idp-metadata.xml)
6
.
2018
-
03
-
23
12
:
05
:
17
INFO OpenSAML.Metadata : applying metadata filter (Signature)
7
.
2018
-
03
-
23
12
:
05
:
17
INFO OpenSAML.Metadata.XML : adjusted reload interval to
7200
seconds
8
.
2018
-
03
-
23
12
:
05
:
17
INFO OpenSAML.Metadata.XML : reload thread started...running every
7200
seconds
- Message #3 indicates that the certificate file on disk was successfully loaded (this will be present only if the SP is configured to load the IdP signing certificate).
- Message #5 indicates that the local UW IdP metadata file was successfully loaded.
- Message #6 indicates that the signature on the metadata file was successfully verified (this will be present only if the SP is configured to verify the digital signature).
- If instead you see warning or errors for these entries, go back and verify you have followed these instructions.