Skip to content

Shibboleth IdP/SP Configuration

Shibboleth IdP v.3.1+

1. Retrieve the Federation certificate

Retrieve the Federation Certificate used to verify signed metadata:

wget https://mdx.idem.garr.it/idem-mdx-service-crt.pem -O /opt/shibboleth-idp/credentials/idem-mdx-service-crt.pem

2. Check the certificate validity

  • SHA1:

    openssl x509 -in /opt/shibboleth-idp/credentials/idem-mdx-service-crt.pem -fingerprint -sha1 -noout

    will give:

    (sha1: 46:FC:EB:7B:D0:67:46:EA:0C:B1:B2:61:4C:DC:37:DA:BD:B4:8A:95)

  • MD5:

    openssl x509 -in /opt/shibboleth-idp/credentials/idem-mdx-service-crt.pem -fingerprint -md5 -noout

    will give:

    (md5: 5D:19:CC:AA:1E:63:E9:50:9D:C7:BE:99:60:0F:1F:96)

3. Metadata providers configuration

Edit metadata-providers.xml opportunely:

vim /opt/shibboleth-idp/conf/metadata-providers.xml

by adding before the last </MetadataProvider> this piece of code, commenting/uncommenting the <MetadataQueryProtocol> value depending on the Metadata flow used:

<!-- MDX Service -->

<MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider"
            connectionRequestTimeout="PT2S"
            connectionTimeout="PT2S"
            socketTimeout="PT4S"
            refreshDelayFactor="0.025"
            maxCacheDuration="PT48H">
    <!--
    Verify the signature on the root element of the metadata
    using a trusted metadata signing certificate.
    -->
    <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" 
                certificateFile="%{idp.home}/credentials/idem-mdx-service-crt.pem"/>

    <!--
    Require a validUntil XML attribute on the root element and
    make sure its value is no more than 3 days into the future.
    -->
    <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P3D"/>

    <!-- Base URL for MDQ -->
    <!-- IDEM Production Federation -->
    <!-- <MetadataQueryProtocol>https://mdx.idem.garr.it/idem/</MetadataQueryProtocol> -->

    <!-- IDEM Test Federation -->
    <MetadataQueryProtocol>https://mdx.idem.garr.it/idem-test/</MetadataQueryProtocol>

    <!-- eduGAIN -->
    <!-- <MetadataQueryProtocol>https://mdx.idem.garr.it/edugain/</MetadataQueryProtocol> -->
</MetadataProvider>

4. Reload service

Reload the service shibboleth.MetadataResolverService to retrieve the Metadata:

bash /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.MetadataResolverService

Shibboleth SP v3

1. Retrieve the Federation certificate

Retrieve the Federation Certificate used to verify signed metadata:

wget https://mdx.idem.garr.it/idem-mdx-service-crt.pem -O /opt/shibboleth-idp/credentials/idem-mdx-service-crt.pem

2. Check the certificate validity

  • SHA1:

    openssl x509 -in /opt/shibboleth-idp/credentials/idem-mdx-service-crt.pem -fingerprint -sha1 -noout

    will give:

    (sha1: 46:FC:EB:7B:D0:67:46:EA:0C:B1:B2:61:4C:DC:37:DA:BD:B4:8A:95)

  • MD5:

    openssl x509 -in /opt/shibboleth-idp/credentials/idem-mdx-service-crt.pem -fingerprint -md5 -noout

    will give:

    (md5: 5D:19:CC:AA:1E:63:E9:50:9D:C7:BE:99:60:0F:1F:96)

3. Configure shibboleth2.xml

Edit shibboleth2.xml opportunely:

vim /etc/shibboleth/shibboleth2.xml

by adding before the last </MetadataProvider> this piece of code:

<!-- MDX Service -->

<MetadataProvider type="MDQ" id="mdx" cacheDirectory="mdq-cache"
        baseUrl="https://mdx.idem.garr.it/idem-test/"            
        maxCacheDuration="172800" refreshDelayFactor="0.025" ignoreTransport="true">
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="259200"/>
    <MetadataFilter type="Signature" certificate="idem-mdx-service-crt.pem"/>
</MetadataProvider>

and changing the baseUrl value depending on the Metadata flow used:

  • IDEM Test Federation: https://mdx.idem.garr.it/idem-test/
  • IDEM Production Federation: https://mdx.idem.garr.it/idem/
  • eduGAIN: https://mdx.idem.garr.it/edugain/

4. Restart service

Restart shibd daemon:

sudo systemctl restart shibd