Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Next revisionBoth sides next revision
en:production [2017/08/30 17:03] Raoul Gunnar Boreniusen:production [2021/12/29 14:20] – [SP Example] Wolfgang Pempe
Line 26: Line 26:
 ^ Advanced          | ''dfn-aai-sp-metadata.xml''         | ''dfn-aai-metadata.xml''             | ^ Advanced          | ''dfn-aai-sp-metadata.xml''         | ''dfn-aai-metadata.xml''             |
 ^ Basic             | ''dfn-aai-sp-metadata.xml''         | --                                   | ^ Basic             | ''dfn-aai-sp-metadata.xml''         | --                                   |
-^ Advanced + Basic  | --                                  | ''dfn-aai-basic-metadata.xml''       |+^ Advanced + Basic  | --                                  | ''dfn-aai-idp-metadata.xml''       |
 ^ eduGAIN           | ''dfn-aai-edugain+sp-metadata.xml'' | ''dfn-aai-edugain+idp-metadata.xml'' | ^ eduGAIN           | ''dfn-aai-edugain+sp-metadata.xml'' | ''dfn-aai-edugain+idp-metadata.xml'' |
 ^ Local Metadata    | ''dfn-aai-local-999-metadata.xml''* | ''dfn-aai-local-999-metadata.xml'' | ^ Local Metadata    | ''dfn-aai-local-999-metadata.xml''* | ''dfn-aai-local-999-metadata.xml'' |
Line 32: Line 32:
  
 ==== IdP Example ==== ==== IdP Example ====
-**DFN-AAI:** Cf. [[de:shibidp3config-metadata|Federation Metadata]].+**For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** 
 + 
 +**DFN-AAI:** Cf. [[de:shibidp:config-metadata|Federation Metadata]] (de).
  
 For participation in **eduGAIN**, the entity must consume a separate metadata set **in addition to the DFN-AAI federation metadata**: For participation in **eduGAIN**, the entity must consume a separate metadata set **in addition to the DFN-AAI federation metadata**:
Line 56: Line 58:
                   maxRefreshDelay="PT2H">                   maxRefreshDelay="PT2H">
             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
-                  certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/>+                  certificateFile="/etc/ssl/aai/dfn-aai.pem"/>
     </MetadataProvider>     </MetadataProvider>
          
Line 66: Line 68:
                   maxRefreshDelay="PT2H">                   maxRefreshDelay="PT2H">
             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
-                  certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/>+                  certificateFile="/etc/ssl/aai/dfn-aai.pem"/>
     </MetadataProvider>     </MetadataProvider>
  
Line 73: Line 75:
  
 ==== SP Example ==== ==== SP Example ====
 +**For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].**
  
 Communication with all productive IdPs in DFN-AAI (Degree of Reliance "Adavanced" and "Basic") as well as all IdPs from eduGAIN - except "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]): Communication with all productive IdPs in DFN-AAI (Degree of Reliance "Adavanced" and "Basic") as well as all IdPs from eduGAIN - except "Self-Signup" IdPs (cf. also [[de:entity_attributes|Entity Attributes]]):
Line 78: Line 81:
 <file xml /etc/shibboleth/shibboleth2.xml> <file xml /etc/shibboleth/shibboleth2.xml>
 <MetadataProvider type="XML"  <MetadataProvider type="XML" 
-      uri="https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-basic-metadata.xml" +      uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-idp-metadata.xml" 
-      backingFilePath="dfn-aai-basic-metadata.xml" reloadInterval="3600"> +      backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600"> 
-   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" />+   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
    <MetadataFilter type="EntityRoleWhiteList">    <MetadataFilter type="EntityRoleWhiteList">
        <RetainedRole>md:IDPSSODescriptor</RetainedRole>        <RetainedRole>md:IDPSSODescriptor</RetainedRole>
Line 87: Line 90:
  
 <MetadataProvider type="XML"  <MetadataProvider type="XML" 
-      uri="https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+idp-metadata.xml"+      uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+idp-metadata.xml"
       backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">       backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">
-   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" />+   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
    <MetadataFilter type="Blacklist" matcher="EntityAttributes">    <MetadataFilter type="Blacklist" matcher="EntityAttributes">
        <saml:Attribute Name="http://macedir.org/entity-category"         <saml:Attribute Name="http://macedir.org/entity-category" 
Line 106: Line 109:
 ==== Embedded Discovery Service ==== ==== Embedded Discovery Service ====
  
-** We recommend to implement an [[de:shibeds|Embedded Discovery Service]] on the sp because it's much more straight forward to use for the end user then our central service!**+In case an SP is only available for a couple of Home Organizations, we recommend to implement an [[de:shibsp#shibboleth_eds_embedded_discovery_service|Embedded Discovery Service]] that filters and lists only those IdPs that are relevant for the service/SP.
  
 ==== Central Discovery Service ==== ==== Central Discovery Service ====
  
-In case no SP-specific and/or [[de:shibeds|Embedded Discovery Service]] can be implemented, we provide a centralized+In case no SP-specific and/or [[de:shibsp#shibboleth_eds_embedded_discovery_service|Embedded Discovery Service]] can be implemented, we provide a centralized
 discovery service as a fall-back. An **SP** can choose between several central discovery URLs in accordance with its MetadataProvider configuration (see above). So-called "Local SPs" that are intended for internal use only (e.g. campus management), should refer to the Entity ID of the IdP of the Home Organization (see also [[de:metadata_local|Local Metadata]]). discovery service as a fall-back. An **SP** can choose between several central discovery URLs in accordance with its MetadataProvider configuration (see above). So-called "Local SPs" that are intended for internal use only (e.g. campus management), should refer to the Entity ID of the IdP of the Home Organization (see also [[de:metadata_local|Local Metadata]]).
  
Line 143: Line 146:
 </SSO> </SSO>
 </file> </file>
 +
 +{{tag>idp4 tutorial discovery produktivbetrieb metadata}}
  • Last modified: 18 months ago