Note: The MDQ beta service retired May 1, 2019. It is replaced with a "preview" (pre-production) MDQ serviceThe production MDQ service went live July 9, 2019.
References
https://spaces.at.internet2.edu/display/MDQ/The+Guide
https://spaces.at.internet2.edu/display/MDQ/MDQProduction+Signing+Key
https://spaces.at.internet2.edu/display/MDQ/Per-Entity+Metadata+Service+Documentation
https://spaces.at.internet2.edu/display/perentity/MDQ+Client+Software
https://metadata+signing+key
https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+HomeCaution: The state of MDQ server behavior is in flux. Downloading metadata from the URL below (step 2) using a browser may not provide usable results; check that the download is XML and not HTML. Also note InCommon's statement that this technology preview signing certificate could change with little notice.
Procedure
Save Download a copy of and verify the InCommon Metadata Query Protocol MDQ signing certificate (
incommon-mdq.pem
) and verify . Verify its fingerprint.Code Block curl -O http://md.incommon.org/certs/inc-md-cert-mdq.pem openssl x509 -sha1 -noout -fingerprint -in incommoninc-md-cert-mdq.pem SHA1 Fingerprint=CFF8:A84E:7AF8:5747:00EF:6EBB:05EE:0947:CD86:6332:A1DB:4994:1B17:4B8A:F831:46A6:9894:DD73:3A19:3836
Fetch the UC Davis IdP metadata (SAML entity ID
urn:mace:incommon:ucdavis.edu
).Code Block curl --silent --output ucdavis-metadata.xml \ http://mdq-preview.incommon.org/entities/urn%3Amace%3Aincommon%3Aucdavis.edu
Validate the XML signature. Note: several other ways to verify the digital signature on an XML document exist, as well, cf. Google search.
Code Block xmlsectool --verifySignature --inFile ucdavis-metadata.xml --certificate incommoninc-md-cert-mdq.pem