Example of a standard metadata for Shibboleth IdP

metadata-providers.xml for Shibboleth IDP 3.2.1 and newer

Tanka även ner  md-signer2.crt  från https://mds.swamid.se/md/ och spara i credentials/md-signer.crt

Filen är gjord för Linux. Men kör du Windows skall backingFile ändras på alla ställen från /opt/shibboleth-idp/metadata till C:\Program Files (x86)\Shibboleth\Idp\metadata.

<?xml version="1.0" encoding="UTF-8"?>
<!-- This file is an EXAMPLE metadata configuration file. -->
<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
    xmlns="urn:mace:shibboleth:2.0:metadata"
    xmlns:resource="urn:mace:shibboleth:2.0:resource"
    xmlns:security="urn:mace:shibboleth:2.0:security"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd 
                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
                        
    <!-- ========================================================================================== -->
    <!--                             Metadata Configuration                                         -->
    <!--                                                                                            -->
    <!--  Below you place the mechanisms which define how to load the metadata for the SP you will  -->
    <!--  provide a service to.                                                                     -->
    <!--                                                                                            -->
    <!--  Two examples are provided.  The Shibboleth Documentation at                               -->
    <!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                -->
    <!--  provides more details.                                                                    --> 
    <!--                                                                                            -->
    <!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            -->
    <!--                                                                                            -->
    <!-- ========================================================================================== -->
    <!-- Example HTTP metadata provider.  Use this if you want to download
         the metadata from a remote service.
         
         You *MUST*  provider the SignatureValidationFilter in order to function securely.
         Get the PubLic key, and validate it via some out of band mechanism, from the
         party publishing the metadata
         
         The EntityRoleWhiteList saves memory by only loading metadata from entity types
         that you will interoperate with. 
    
    <MetadataProvider id="HTTPMetadata"
                      xsi:type="FileBackedHTTPMetadataProvider"
                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
                      metadataURL="http://WHATEVER"> 
        
        <MetadataFilter xsi:type="SignatureValidation"
            requireSignedMetadata="false">
            <PublicKey>
                THIS IS AN EXAMPLE
            
                MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxg0TyQAP/tIvOH89EtaX
                uRRn8SYzTj7W1TbNY4VvBmobjkRmSkki4hH9x4sQpi635wn6WtXTN/FNNmkTK3N/
                LspmBWxfZS+n+cc7I82E5yvCAPX67QsZgqgglp2W5dvK/FsMMCS6X6SVqzBLMP88
                NenXKxY+HMxMs0sT0UKYh1cAEqadrHRBO65aDBcm5a0sBVYt9K6pgaOHrp/zSIbh
                nR5tFFLjBbtFktDpHL3AdGBH3OYidNGKBO3tJ3Ms7LeKXsM0+0Y4P+9fHZINL2X3
                E2N6GVnKs5PZTg9sP0FtIpAbYm/+zCx7Yj1ET/Er8mDd6tNVGSQsn9s5xUBwGqn1
                4wIDAQAB
            </PublicKey>
        </MetadataFilter>
        <MetadataFilter xsi:type="EntityRoleWhiteList">
            <RetainedRole>md:SPSSODescriptor</RetainedRole>
        </MetadataFilter>
        
    </MetadataProvider>
    
    -->   
    <!-- Example file metadata provider.  Use this if you want to load metadata
         from a local file.  You might use this if you have some local SPs
         which are not "federated" but you wish to offer a service to.
         
         If you do not provide a SignatureValidation filter then you *have*
         to know that the file is valid.
         
    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
     -->
	<MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
			metadataURL="http://mds.swamid.se/md/swamid-sp-transitive.xml"
			backingFile="/opt/shibboleth-idp/metadata/swamid-sp-transitive.xml">
		<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
				certificateFile="%{idp.home}/credentials/md/md-signer2.crt" />
		<MetadataFilter xsi:type="EntityRoleWhiteList">
			<RetainedRole>md:SPSSODescriptor</RetainedRole>
		</MetadataFilter>
	</MetadataProvider>
	<!-- Uncomment if you want to test this IdP with test Shib -->
	<!-- Note: comment back out if you are in production as your IdP should not trust this beyond testing -->
<!--
	<MetadataProvider id="URLMD-TestShib" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
			metadataURL="http://testshib.org/metadata/testshib-providers.xml"
			backingFile="/opt/shibboleth-idp/metadata/testshib-providers.xml">
	</MetadataProvider>
-->  
</MetadataProvider>