Versions Compared

Old Version 24

changes.mady.by.user Peter Brand

Saved on

compared with

New Version 25

changes.mady.by.user Peter Brand

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: tune metadata providers

...

Code Block
languagehtml/xml
titleAll IDPs registered with ACOnet
<MetadataProvider type="XML" url="http://eduid.at/md/aconet-registered.xml"
          validate="true" backingFilePath="aconet-metadata.xml" reloadInterval="144007200">
    <MetadataFilter type="SignatureRequireValidUntil" certificatemaxValidityInterval="aconet-metadata-signing.crt2419200"/>
    <MetadataFilter type="RequireValidUntilSignature" certificate="aconet-metadata-signing.crt" maxValidityIntervalverifyBackup="2419200false"/>
    <MetadataFilter type="EntityRoleWhiteList">
        <RetainedRole>md:IDPSSODescriptor</RetainedRole>
        <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
    </MetadataFilter>
    <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
      attributeName="http://macedir.org/entity-category"
      attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>

...

Code Block
languagehtml/xml
titleAll IDPs registered with ACOnet plus Interfederation IDPs
<MetadataProvider type="XML" url="http://eduid.at/md/aconet-interfed.xml"
          validate="true" backingFilePath="aconet-metadata.xml" reloadInterval="144007200">
    <MetadataFilter type="SignatureRequireValidUntil" certificatemaxValidityInterval="aconet-metadata-signing.crt2419200"/>
    <MetadataFilter type="RequireValidUntilSignature" certificate="aconet-metadata-signing.crt" maxValidityIntervalverifyBackup="2419200false"/>
    <MetadataFilter type="EntityRoleWhiteList">
        <RetainedRole>md:IDPSSODescriptor</RetainedRole>
        <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
    </MetadataFilter>
    <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
      attributeName="http://macedir.org/entity-category"
      attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      attributeValue="http://refeds.org/category/hide-from-discovery" />
</MetadataProvider>

...

Code Block
languagehtml/xml
<MetadataProvider type="XML" url="http://eduid.at/md/aconet-registered.xml"
          validate="true" backingFilePath="aconet-metadata.xml" reloadInterval="14400">
    <MetadataFilter type="SignatureRequireValidUntil" certificatemaxValidityInterval="aconet-metadata-signing.crt2419200"/>
    <MetadataFilter type="Signature" certificate="RequireValidUntilaconet-metadata-signing.crt" maxValidityIntervalverifyBackup="2419200false"/>
    <MetadataFilter type="Whitelist">
        <Include>https://weblogin.univie.ac.at/shibboleth</Include>
        <Include>https://weblogin-test.univie.ac.at/shibboleth</Include>
    </MetadataFilter>
</MetadataProvider>

...

Code Block
languagehtml/xml
<MetadataProvider type="XML" url="http://eduid.at/md/aconet-registered.xml"
          validate="true" backingFilePath="aconet-metadata.xml" reloadInterval="14400">
    <MetadataFilter type="SignatureRequireValidUntil" certificatemaxValidityInterval="aconet-metadata-signing.crt2419200"/>
    <MetadataFilter type="RequireValidUntilSignature" certificate="aconet-metadata-signing.crt" maxValidityIntervalverifyBackup="2419200false"/>
    <MetadataFilter type="Blacklist">
        <Exclude>https://openidp.aco.net/saml</Exclude>
    </MetadataFilter>
</MetadataProvider>

...

Note

Note that a DiscoveryFilter will not prevent use of matching IDPs with the local SP! The only result of a discovery filter is filtering the output of the Shibboleth SP's "DiscoFeed" JSON resource that is used by the Shibboleth Embedded Discovery Service (but can be used by others as well, of course).  If you want to prevent the SP from federating with certain IDPs (or groups of IDPs) – as some kind of initial coarse access control – use a MetadataFilter instead (like in the examples above) and/or properly implement authorization within the protected resource (webserver ACLs, application).