Metadata URL and metadata signing certificate
The UK federation metadata is required for the IdP to validate UK federation service providers (SPs), and for the SPs to validate IdPs. It contains SAML metadata for all registered UK federation IdP and SP deployments. The UK federation provide two metadata services;
To secure against compromise, the UK federation metadata is signed using the UK federation's private key, and the corresponding public key must be used to verify the signature. The public key is available at this URL in the form of a self-signed X509 certificate:
The certificate is required in the IdP configuration so that it can be used to verify the signature on the UK federation metadata. It needs to be downloaded and saved to the %{idp.home/credentials}
directory.
However, as this certificate secures the entire UK Federation, you should not rely on it until you have checked its authenticity. To do this, you should verify the certificate's SHA-256 fingerprint. You can use the commands we would ask you to use for Certificate Verification
To verify it you need to compare the resulting value with the correct fingerprint value, which can be obtained from the UK federation team. To guard against the possibility of this web site being compromised, you should contact them by telephone. Their phone number can be found on the UK federation helpdesk contact information page.
Configuration example for Shibboleth IdP
After you have downloaded the UK federation signing certificate and verified its authenticity as described above, you configure the IdP to use the UK federation metadata by editing %{idp.home}/conf/metadata-providers.xml
and adding the following MetadataProvider
element. There are comments in the default file distributed with the IdP that describe where this element should be placed, and there are two example configuration elements.
<MetadataProvider id="UKfederationMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/ukfederation-metadata.xml" metadataURL="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/ukfederation.pem"/> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/> <MetadataFilter xsi:type="SchemaValidation"/> <MetadataFilter xsi:type="EntityRoleWhiteList"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataProvider>
Configuation example for Shibboleth SP
Within shibboleth2.xml
The <MetadataProvider> element
Find the line
<MetadataProvider type="XML">
and remove the comments before that line and after the closing </MetadataProvider>
tag. Edit the code so it reads as follows, only make the backingFilePath
value specify the location of the Shibboleth SP configuration files:
<MetadataProvider type="XML" url="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"
backingFilePath="/path/to/ukfederation-metadata.xml" reloadInterval="14400">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2592000"/>
<MetadataFilter type="Signature" certificate="ukfederation.pem"/>
</MetadataProvider>