| Info |
|---|
Konfigurationerna under denna sida fungerar endast för Shibboleth 3 eller senare. För simpleSAMLphp och ADFS kan konfigurationsexemplen endast användas som inspiration. |
relying-party.xml
...
| Code Block |
|---|
|
/opt/shibboleth-idp/credentials/md-signer.crt
|
| Code Block |
|---|
|
C:/Program Files (x86)/Shibboleth/IdP/metadatacredentials/md-signer.crt
|
Definera att det nedladdade certifikatet ska användas för kontroll av signatur av Swamids metadata:
| Code Block |
|---|
|
<!-- SWAMID-METADATA-Trustengine and SWAMID-TESTING-METADATA-Trustengine -->
<security:TrustEngine id="swamid-metadata-signer" xsi:type="security:StaticExplicitKeySignature">
<security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
<security:Certificate>/opt/shibboleth-idp/credentials/md-signer.crt</security:Certificate>
</security:Credential>
</security:TrustEngine>
|
...
...
Stoppa in följande block XML på relevant plats i metadata-providers.xml.
...
Hämta metadata för SWAMID 2.0 med följande konfiguration:
| Code Block |
|---|
|
<!-- SWAMID 2.0 METADATA PROVIDER -->
<MetadataProvider id="Swamid2MD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://md.swamid.se/md/swamid-2.0.xml"
backingFile="/opt/shibboleth-idp%{idp.home}/metadata/swamid-2.0.xml">
<MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="swamid-metadata-signer"
requireSignedMetadata="true" />
</MetadataFilter>
</MetadataProvider>
|
| Code Block |
|---|
|
<!-- SWAMID 2.0 METADATA PROVIDER -->
<MetadataProvider id="Swamid2MD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://md.swamid.se/md/swamid-2.0.xml"
backingFile="C:/Program Files (x86)/Internet2/Shib2Idp/metadata/swamid-2.0.xml">
certificateFile="%{idp.home}/credentials/md-signer.crt" />
<MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadataEntityRoleWhiteList">
<MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="swamid-metadata-signer"
requireSignedMetadata="true" />
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
|
Vid behov så kan även Ni behöver även hämta metadata för SWAMIDs testfederation läggas till för att tillåta realistiska tester för ej driftsatta tjänsteleverantörer (SP):
| Code Block |
|---|
|
<!-- SWAMID TEST METADATA PROVIDER -->
<MetadataProvider id="SwamidTestMDSwamid2MD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://md.swamid.se/md/swamid-testing-1.0.xml"
backingFile="/opt/shibboleth-idp%{idp.home}/metadata/swamid-testing-1.0.xml">
<MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="swamid-metadata-signer"
requireSignedMetadata="true" />
</MetadataFilter>
</MetadataProvider>
|
| Code Block |
|---|
|
<!-- SWAMID TEST METADATA PROVIDER -->
<MetadataProvider id="SwamidTestMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataURL="http://md.swamid.se/md/swamid-testing-1.0.xml"
backingFile="C:/Program Files (x86)/Internet2/Shib2Idp/metadata/swamid-testing-1.0.xml">
certificateFile="%{idp.home}/credentials/md-signer.crt" />
<MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="swamid-metadata-signer"
requireSignedMetadata="true" />
EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
|