Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Next revisionBoth sides next revision
en:production [2019/05/16 12:57] Wolfgang Pempeen:production [2022/05/02 14:04] Wolfgang Pempe
Line 17: Line 17:
 **NB:** As for the certificate used for metadata signature validation, the examples below refer to the hierarchy of the DFN-PKI second generation. Please refer to [[en:metadata|Metadata]]. **NB:** As for the certificate used for metadata signature validation, the examples below refer to the hierarchy of the DFN-PKI second generation. Please refer to [[en:metadata|Metadata]].
  
-**SP Operators** decide which [[en:degrees_of_reliance|Degree of Reliance]] they require for accessing the protected resources. The audience can be restricted to IdPs of the Degree of Reliance "Advanced" by chosing ''dfn-aai-metadata.xml''. The metadata file ''dfn-aai-basic-metadata.xml'' comprises *all* productive IdPs in DFN-AAI, both "Basic" and "Advanced".+**SP Operators** include the metadata file that comprises all IdPs registered with the DFN-AAI production environment.
  
 **IdP Operators** include the metadata file that comprises all SPs registered with the DFN-AAI production environment. **IdP Operators** include the metadata file that comprises all SPs registered with the DFN-AAI production environment.
Line 24: Line 24:
  
 |                   ^ IdP / AA                            ^ SP                                   ^ |                   ^ IdP / AA                            ^ SP                                   ^
-Advanced          | ''dfn-aai-sp-metadata.xml''         | ''dfn-aai-metadata.xml''             +DFN-AAI          | ''dfn-aai-sp-metadata.xml''         | ''dfn-aai-idp-metadata.xml''             |
-^ Basic             | ''dfn-aai-sp-metadata.xml''         | --                                   | +
-^ Advanced + Basic  | --                                  | ''dfn-aai-basic-metadata.xml''       |+
 ^ eduGAIN           | ''dfn-aai-edugain+sp-metadata.xml'' | ''dfn-aai-edugain+idp-metadata.xml'' | ^ eduGAIN           | ''dfn-aai-edugain+sp-metadata.xml'' | ''dfn-aai-edugain+idp-metadata.xml'' |
 ^ Local Metadata    | ''dfn-aai-local-999-metadata.xml''* | ''dfn-aai-local-999-metadata.xml'' | ^ Local Metadata    | ''dfn-aai-local-999-metadata.xml''* | ''dfn-aai-local-999-metadata.xml'' |
Line 34: Line 32:
 **For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].** **For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].**
  
-**DFN-AAI:** Cf. [[de:shibidp3config-metadata|Federation Metadata]].+**DFN-AAI:** Cf. [[de:shibidp:config-metadata|Federation Metadata]] (de).
  
 For participation in **eduGAIN**, the entity must consume a separate metadata set **in addition to the DFN-AAI federation metadata**: For participation in **eduGAIN**, the entity must consume a separate metadata set **in addition to the DFN-AAI federation metadata**:
Line 55: Line 53:
                   xsi:type="FileBackedHTTPMetadataProvider"                   xsi:type="FileBackedHTTPMetadataProvider"
                   backingFile="%{idp.home}/metadata/dfn-aai-sp-metadata.xml"                   backingFile="%{idp.home}/metadata/dfn-aai-sp-metadata.xml"
-                  metadataURL="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-sp-metadata.xml"+                  metadataURL="http://www.aai.dfn.de/metadata/dfn-aai-sp-metadata.xml"
                   maxRefreshDelay="PT2H">                   maxRefreshDelay="PT2H">
             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
-                  certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/>+                  certificateFile="/etc/ssl/aai/dfn-aai.pem"/>
     </MetadataProvider>     </MetadataProvider>
          
Line 65: Line 63:
                   xsi:type="FileBackedHTTPMetadataProvider"                   xsi:type="FileBackedHTTPMetadataProvider"
                   backingFile="%{idp.home}/metadata/dfn-aai-edugain+sp-metadata.xml"                   backingFile="%{idp.home}/metadata/dfn-aai-edugain+sp-metadata.xml"
-                  metadataURL="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+sp-metadata.xml"+                  metadataURL="http://www.aai.dfn.de/metadata/dfn-aai-edugain+sp-metadata.xml"
                   maxRefreshDelay="PT2H">                   maxRefreshDelay="PT2H">
             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
-                  certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/>+                  certificateFile="/etc/ssl/aai/dfn-aai.pem"/>
     </MetadataProvider>     </MetadataProvider>
  
Line 81: Line 79:
 <file xml /etc/shibboleth/shibboleth2.xml> <file xml /etc/shibboleth/shibboleth2.xml>
 <MetadataProvider type="XML"  <MetadataProvider type="XML" 
-      uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-basic-metadata.xml" +      uri="http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml" 
-      backingFilePath="dfn-aai-basic-metadata.xml" reloadInterval="3600"> +      backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600"> 
-   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" /+   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
-   <MetadataFilter type="EntityRoleWhiteList"> +
-       <RetainedRole>md:IDPSSODescriptor</RetainedRole> +
-    </MetadataFilter>+
 </MetadataProvider> </MetadataProvider>
  
 <MetadataProvider type="XML"  <MetadataProvider type="XML" 
-      uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+idp-metadata.xml"+      uri="http://www.aai.dfn.de/metadata/dfn-aai-edugain+idp-metadata.xml"
       backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">       backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">
-   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" />+   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
    <MetadataFilter type="Blacklist" matcher="EntityAttributes">    <MetadataFilter type="Blacklist" matcher="EntityAttributes">
        <saml:Attribute Name="http://macedir.org/entity-category"         <saml:Attribute Name="http://macedir.org/entity-category" 
Line 99: Line 94:
        </saml:Attribute>        </saml:Attribute>
    </MetadataFilter>    </MetadataFilter>
-   <MetadataFilter type="EntityRoleWhiteList"> 
-       <RetainedRole>md:IDPSSODescriptor</RetainedRole> 
-    </MetadataFilter> 
 </MetadataProvider> </MetadataProvider>
 </file> </file>
 +
 +The following example shows how to restrict the metadata import to IdPs that conform to the requirements of the Degree of Reliance 'Advanced':
 +
 +<file xml /etc/shibboleth/shibboleth2.xml>
 +<MetadataProvider type="XML" validate="true"
 +      url="http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml"
 +      backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600">
 +   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
 +   <MetadataFilter type="Include" matcher="EntityAttributes">
 +      <saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 +           <saml:AttributeValue>advanced</saml:AttributeValue>
 +      </saml:Attribute>
 +   </MetadataFilter>
 +</MetadataProvider>
 +
 +</file>
 +
  
 ===== Discovery Service ===== ===== Discovery Service =====
Line 109: Line 118:
 ==== Embedded Discovery Service ==== ==== Embedded Discovery Service ====
  
-In case an SP is only available for a couple of Home Organizations, we recommend to implement an [[de:shibeds|Embedded Discovery Service]] that filters and lists only those IdPs that are relevant for the service/SP.+In case an SP is only available for a couple of Home Organizations, we recommend to implement an [[de:shibsp#shibboleth_eds_embedded_discovery_service|Embedded Discovery Service]] that filters and lists only those IdPs that are relevant for the service/SP.
  
 ==== Central Discovery Service ==== ==== Central Discovery Service ====
  
-In case no SP-specific and/or [[de:shibeds|Embedded Discovery Service]] can be implemented, we provide a centralized+In case no SP-specific and/or [[de:shibsp#shibboleth_eds_embedded_discovery_service|Embedded Discovery Service]] can be implemented, we provide a centralized
 discovery service as a fall-back. An **SP** can choose between several central discovery URLs in accordance with its MetadataProvider configuration (see above). So-called "Local SPs" that are intended for internal use only (e.g. campus management), should refer to the Entity ID of the IdP of the Home Organization (see also [[de:metadata_local|Local Metadata]]). discovery service as a fall-back. An **SP** can choose between several central discovery URLs in accordance with its MetadataProvider configuration (see above). So-called "Local SPs" that are intended for internal use only (e.g. campus management), should refer to the Entity ID of the IdP of the Home Organization (see also [[de:metadata_local|Local Metadata]]).
  
Line 146: Line 155:
 </SSO> </SSO>
 </file> </file>
 +
 +{{tag>idp4 tutorial discovery produktivbetrieb metadata}}
  • Last modified: 18 months ago