Differences

This shows you the differences between two versions of the page.

--- en:production [2020/04/08 08:38] – [Central Discovery Service] Wolfgang Pempe
+++ en:production [2023/01/09 14:22] – tags Silke Meyer
@@ Line 7: / Line 7: @@
 ===== 1. Metadata Administration Tool =====
-Using the Metadata Admin Tool (entity edit view, section "Federations"), the respective entity has to be added to the federation / metadata set that is considered to fit best the needs for productive operations (cf. [[en:degrees_of_reliance|Degrees of Reliance]]). The system will check whether the metadata of this entity meet all requirements of the production environment (especially the registered certificate[s]) - and whether the account is linked with a contract. If the checks are positive, the entity will be unlocked.
+Using the Metadata Admin Tool (entity edit view, section "Federations"), the respective entity has to be added to the federation / metadata set that is considered to fit best the needs for productive operations (cf. [[en:degrees_of_reliance|Degrees of Reliance]]). The system will check whether the metadata of this entity meet all requirements of the production environment (especially the registered certificate[s]) - and whether the account is linked with a contract. If the checks are positive, the button will be unlocked. The metadata entry in question is then reviewed by the DFN-AAI team.
+{{:en:metadata_admin_tool:mdv-produktiv-pending-neuemdv-en.png?600|}}
 ===== 2. Configuration Changes =====
@@ Line 17: / Line 18: @@
 **NB:** As for the certificate used for metadata signature validation, the examples below refer to the hierarchy of the DFN-PKI second generation. Please refer to [[en:metadata|Metadata]].
-**SP Operators** decide which [[en:degrees_of_reliance|Degree of Reliance]] they require for accessing the protected resources. The audience can be restricted to IdPs of the Degree of Reliance "Advanced" by chosing ''dfn-aai-metadata.xml''. The metadata file ''dfn-aai-basic-metadata.xml'' comprises *all* productive IdPs in DFN-AAI, both "Basic" and "Advanced".
+**SP Operators** include the metadata file that comprises all IdPs registered with the DFN-AAI production environment.
 **IdP Operators** include the metadata file that comprises all SPs registered with the DFN-AAI production environment.
@@ Line 24: / Line 25: @@
 |                   ^ IdP / AA                            ^ SP                                   ^
-^ Advanced          | ''dfn-aai-sp-metadata.xml''         | ''dfn-aai-metadata.xml''             |
+^ DFN-AAI          | ''dfn-aai-sp-metadata.xml''         | ''dfn-aai-idp-metadata.xml''             |
-^ Basic             | ''dfn-aai-sp-metadata.xml''         | --                                   |
-^ Advanced + Basic  | --                                  | ''dfn-aai-basic-metadata.xml''       |
 ^ eduGAIN           | ''dfn-aai-edugain+sp-metadata.xml'' | ''dfn-aai-edugain+idp-metadata.xml'' |
 ^ Local Metadata    | ''dfn-aai-local-999-metadata.xml''* | ''dfn-aai-local-999-metadata.xml''*  |
@@ Line 34: / Line 33: @@
 **For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].**
-**DFN-AAI:** Cf. [[de:shibidp3config-metadata|Federation Metadata]].
+**DFN-AAI:** Cf. [[de:shibidp:config-metadata|Federation Metadata]] (de).
 For participation in **eduGAIN**, the entity must consume a separate metadata set **in addition to the DFN-AAI federation metadata**:
@@ Line 55: / Line 54: @@
                   xsi:type="FileBackedHTTPMetadataProvider"
                   backingFile="%{idp.home}/metadata/dfn-aai-sp-metadata.xml"
-                  metadataURL="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-sp-metadata.xml"
+                  metadataURL="http://www.aai.dfn.de/metadata/dfn-aai-sp-metadata.xml"
                   maxRefreshDelay="PT2H">
             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
-                  certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/>
+                  certificateFile="/etc/ssl/aai/dfn-aai.pem"/>
     </MetadataProvider>
@@ Line 65: / Line 64: @@
                   xsi:type="FileBackedHTTPMetadataProvider"
                   backingFile="%{idp.home}/metadata/dfn-aai-edugain+sp-metadata.xml"
-                  metadataURL="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+sp-metadata.xml"
+                  metadataURL="http://www.aai.dfn.de/metadata/dfn-aai-edugain+sp-metadata.xml"
                   maxRefreshDelay="PT2H">
             <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
-                  certificateFile="/etc/ssl/aai/dfn-aai.g2.pem"/>
+                  certificateFile="/etc/ssl/aai/dfn-aai.pem"/>
     </MetadataProvider>
@@ Line 75: / Line 74: @@
 ==== SP Example ====
+<callout type="danger" title="Important note: Make sure that redirectLimit is set to the value 'host' or 'exact'!">
+Please make sure that in **''shibboleth2.xml''** in all **''<Sessions>''** elements the XML attribute **''redirectLimit''**
+  - is set and
+  - has the value **''host''** or **''exact''**! (if necessary in combination with ''allow'')
+This measure prevents the possible open redirect misuse of the SP e.g. in the context of a phishing attack, cf. https://shibboleth.atlassian.net/browse/SSPCPP-714.
+For more information on the configuration parameters of the ''<Sessions>'' element see the [[https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334342/Sessions|Shibboleth Wiki]].
+</callout>
 **For metadata URLs and the certificate for signature validation please refer to [[en:metadata|the Metadata documentation]].**
@@ Line 81: / Line 89: @@
 <file xml /etc/shibboleth/shibboleth2.xml>
 <MetadataProvider type="XML"
-      uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-basic-metadata.xml"
+      uri="http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml"
-      backingFilePath="dfn-aai-basic-metadata.xml" reloadInterval="3600">
+      backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600">
-   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" />
+   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
-   <MetadataFilter type="EntityRoleWhiteList">
-       <RetainedRole>md:IDPSSODescriptor</RetainedRole>
-    </MetadataFilter>
 </MetadataProvider>
 <MetadataProvider type="XML"
-      uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+idp-metadata.xml"
+      uri="http://www.aai.dfn.de/metadata/dfn-aai-edugain+idp-metadata.xml"
       backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">
-   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.g2.pem" />
+   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
    <MetadataFilter type="Blacklist" matcher="EntityAttributes">
        <saml:Attribute Name="http://macedir.org/entity-category"
@@ Line 99: / Line 104: @@
        </saml:Attribute>
    </MetadataFilter>
-   <MetadataFilter type="EntityRoleWhiteList">
-       <RetainedRole>md:IDPSSODescriptor</RetainedRole>
-    </MetadataFilter>
 </MetadataProvider>
 </file>
+The following example shows how to restrict the metadata import to IdPs that conform to the requirements of the Degree of Reliance 'Advanced':
+<file xml /etc/shibboleth/shibboleth2.xml>
+<MetadataProvider type="XML" validate="true"
+      url="http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml"
+      backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600">
+   <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
+   <MetadataFilter type="Include" matcher="EntityAttributes">
+      <saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+           <saml:AttributeValue>advanced</saml:AttributeValue>
+      </saml:Attribute>
+   </MetadataFilter>
+</MetadataProvider>
+</file>
 ===== Discovery Service =====
@@ Line 146: / Line 165: @@
 </SSO>
 </file>
+{{tag>idp4 tutorial discovery production metadata wayf}}

idp4 tutorial discovery production metadata wayf