You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

TODO

Metadata configuration

Service Providers only providing services to subjects associated with ACOnet participants can use this limited Metadata document, which only contains entities registered with ACOnet.

All IDPs registered with ACOnet
<MetadataProvider type="XML" url="http://eduid.at/md/aconet-registered.xml"
          validate="true" backingFilePath="aconet-metadata.xml" reloadInterval="7200">
    <MetadataFilter type="Signature" certificate="aconet-metadata-signing.crt"/>
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
    <MetadataFilter type="EntityRoleWhiteList">
        <RetainedRole>md:IDPSSODescriptor</RetainedRole>
        <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
    </MetadataFilter>
</MetadataProvider>

Service Providers not intenting to limit their potential audience to subjects from ACOnet participants will want to make use of the Interfederation-enabled Metadata document, which contains all eduID.at member institutions as well as any SAML entities known via Interfederation agreements (such as eduGAIN).

All IDPs registered with ACOnet plus Interfederation IDPs
<MetadataProvider type="XML" url="http://eduid.at/md/aconet-interfed.xml"
          validate="true" backingFilePath="aconet-metadata.xml" reloadInterval="7200">
    <MetadataFilter type="Signature" certificate="aconet-metadata-signing.crt"/>
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
    <MetadataFilter type="EntityRoleWhiteList">
        <RetainedRole>md:IDPSSODescriptor</RetainedRole>
        <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
    </MetadataFilter>
</MetadataProvider>

Metadata filter examples

The Shibboleth SP software has powerful Metadata filtering capabilities which allow to restrict entities known to the SP via SAML metadata to only those matching certain criteria. Below are a couple of examples that are useful in specific situations. For convenience ("copy+paste") these are all self-contained but can be composed and arranged as specified in the documentation.

Campus-internal SPs (Whitelist)

Many institutions use Shibboleth and SAML also for internal "campus federation", i.e. with Service Providers not exposed to the eduID.at Federation but only known to the institutions' own IDP.( That IDP in turn is usually the only IDP that knows about such SPs.) Still these SPs will need trustworthy and current SAML metadata for the institutional IDP. The easiest and more secure way to achieve that is by pointing such SPs to the eduID.at federation Metadata but also adding a metadata whitelist filter, which effectively removes all other IDPs. E.g. only limiting an SP to the Vienna University SAML IDPs (production and test instances):

<MetadataProvider type="XML" url="http://eduid.at/md/aconet-registered.xml"
          validate="true" backingFilePath="aconet-metadata.xml" reloadInterval="7200">
    <MetadataFilter type="Signature" certificate="aconet-metadata-signing.crt"/>
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
    <MetadataFilter type="Whitelist">
        <Include>https://weblogin.univie.ac.at/shibboleth</Include>
        <Include>https://weblogin-test.univie.ac.at/shibboleth</Include>
    </MetadataFilter>
</MetadataProvider>

Of course the key for signature validation needs to be downloaded/configured on these SPs just like on any other (i.e., SPs that are registered with the eduID.at federation).

Prevent all access from OpenIDP (Blacklist)

If deployers of a Service Provider are certain they don't have a current (or future) use for identities provided by the ACOnet OpenIDP they could filter it out at the metadata level, preventing any logins from that IDP wholesale:

<MetadataProvider type="XML" url="http://eduid.at/md/aconet-registered.xml"
          validate="true" backingFilePath="aconet-metadata.xml" reloadInterval="7200">
    <MetadataFilter type="Signature" certificate="aconet-metadata-signing.crt"/>
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
    <MetadataFilter type="Blacklist">
        <Exclude>https://openidp.aco.net/saml</Exclude>
    </MetadataFilter>
</MetadataProvider>
  • No labels