Note: The MDQ beta service retired May 1, 2019. It is replaced with a "preview" (pre-production) MDQ service.
References
https://spaces.at.internet2.edu/display/MDQ/The+Guide
https://spaces.at.internet2.edu/display/MDQ/MDQProduction+metadata+Signingsigning+Keyhttps://spaces.at.internet2.edu/display/MDQ/Per-Entity+Metadata+Service+Documentationkey
Note
First choice is to use InCommon's Metadata Query (MDQ) service to load and manage SAML metadata for the UC Davis IdP. Use the procedure below only when the SAML SP software is incapable of dynamically consuming metadata from a remote source.
https://spaces.at.internet2.edu/display/perentityMDQ/MDQConfigure+Shibboleth+Clientservice+Softwareprovider
https://wikikantarainitiative.shibbolethgithub.netio/confluence/display/XSTJ2/xmlsectool+V2+Home
Caution: The state of MDQ server behavior is in flux. Downloading metadata from the URL below (step 2) using a browser may not provide usable results; check that the download is XML and not HTML. Also note InCommon's statement that this technology preview signing certificate could change with little notice.
Procedure
...
Procedure
Download a copy of the InCommon MDQ signing certificate. Verify its fingerprint.
Code Block curl -O http://md.incommon.org/certs/inc-md-cert-mdq.pem openssl x509 -sha1 -noout -fingerprint -in incommoninc-md-cert-mdq.pem SHA1 Fingerprint=CFF8:A84E:7AF8:5747:00EF:6EBB:05EE:0947:CD86:6332:A1DB:4994:1B17:4B8A:F831:46A6:9894:DD73:3A19:3836
Fetch the UC Davis IdP metadata (SAML entity ID
urn:mace:incommon:ucdavis.edu
).Code Block curl --silent --output ucdavis-metadata.xml \ http://mdq-preview.incommon.org/entities/urn%3Amace%3Aincommon%3Aucdavis.edu
Validate the XML signature. Note: several other ways to verify the digital signature on an XML document exist, as well, cf. Google search.
https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+HomeCode Block title xmlsectool xmlsectool --verifySignature --inFile ucdavis-metadata.xml --certificate incommoninc-md-cert-mdq.pem
https://www.aleksey.com/xmlsec/
Code Block title xmlsec1 xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor \ --pubkey-cert-pem inc-md-cert-mdq.pem ucdavis-metadata.xml