Versions Compared

Old Version 15

changes.mady.by.user Tom Poage

Saved on

compared with

New Version Current

changes.mady.by.user Tom Poage

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Note: The MDQ beta service retired May 1, 2019. It is replaced with a "preview" (pre-production) MDQ service.

References

https://spaces.at.internet2.edu/display/MDQ/The+Guide

https://spaces.at.internet2.edu/display/MDQ/MDQProduction+metadata+Signingsigning+Keyhttps://spaces.at.internet2.edu/display/MDQ/Per-Entity+Metadata+Service+Documentationkey

Note

First choice is to use InCommon's Metadata Query (MDQ) service to load and manage SAML metadata for the UC Davis IdP. Use the procedure below only when the SAML SP software is incapable of dynamically consuming metadata from a remote source.

https://spaces.at.internet2.edu/display/perentityMDQ/MDQConfigure+Shibboleth+Clientservice+Softwareprovider

https://wikikantarainitiative.shibbolethgithub.netio/confluence/display/XSTJ2/xmlsectool+V2+Home

Caution: The state of MDQ server behavior is in flux. Downloading metadata from the URL below (step 2) using a browser may not provide usable results; check that the download is XML and not HTML. Also note InCommon's statement that this technology preview signing certificate could change with little notice.

Procedure

...

SAMLprofiles/saml2int.html

Procedure

  1. Download a copy of the InCommon MDQ signing certificate. Verify its fingerprint.

    Code Block
    curl -O http://md.incommon.org/certs/inc-md-cert-mdq.pem
openssl x509 -sha1 -noout -fingerprint -in incommoninc-md-cert-mdq.pem
SHA1 Fingerprint=CFF8:A84E:7AF8:5747:00EF:6EBB:05EE:0947:CD86:6332:A1DB:4994:1B17:4B8A:F831:46A6:9894:DD73:3A19:3836


  2. Fetch the UC Davis IdP metadata (SAML entity ID urn:mace:incommon:ucdavis.edu).

    Code Block
    curl --silent --output ucdavis-metadata.xml \
        http://mdq-preview.incommon.org/entities/urn%3Amace%3Aincommon%3Aucdavis.edu


  3. Validate the XML signature. Note: several other ways to verify the digital signature on an XML document exist, as well, cf. Google search.

    https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+Home

    Code Block
    titlexmlsectool
    xmlsectool --verifySignature --inFile ucdavis-metadata.xml --certificate incommoninc-md-cert-mdq.pem

    https://www.aleksey.com/xmlsec/

    Code Block
    titlexmlsec1
    xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor \
        --pubkey-cert-pem inc-md-cert-mdq.pem ucdavis-metadata.xml