References
https://spaces.at.internet2.edu/display/InCFederation/Metadata+Query+ProtocolMDQ
https://spaces.at.internet2.edu/display/perentityMDQ/MDQProduction+metadata+Client+Softwaresigning+key
Note
First choice is to use InCommon's Metadata Query (MDQ) service to load and manage SAML metadata for the UC Davis IdP. Use the procedure below only when the SAML SP software is incapable of dynamically consuming metadata from a remote source.
https://spaces.at.internet2.edu/display/InCCollaborateMDQ/MetadataConfigure+Shibboleth+Queryservice+Serverprovider
https://wikikantarainitiative.shibbolethgithub.netio/confluence/display/XSTJ2/xmlsectool+V2+HomeSAMLprofiles/saml2int.html
Procedure
Obtain Download a copy of the InCommon Metadata Query Protocol MDQ signing certificate. Though the MDQ service is currently beta, the data it serves is productionVerify its fingerprint.
Verify the certificate's signing key fingerprint with information on this pageCode Block curl -OLO httpshttp://dsmd.incommon.org/certs/mdqinc-betamd-cert.pem
https://ops.incommon.org/mdq_beta_cert.html
Fetch our IdP metadataCode Block -mdq.pem openssl x509 -sha256sha1 -noout -fingerprint -in mdqinc-betamd-cert-mdq.pem SHA1
Fingerprint=F8:4E:F8:47:EF:BB:EE:47:86:32:DB:94:17:8A:31:A6:94:73:19:36Fetch the UC Davis IdP metadata (SAML entity ID
urn:mace:incommon:ucdavis.edu).Code Block curl --silent --output ucdavis-metadata.xml \ http://mdq-beta.incommon.org/global/entities/urn%3Amace%3Aincommon%3Aucdavis.eduValidate the XML signature. Note: several other ways to verify the digital signature on an XML document exist, as well, cf. Google search.
https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+HomeCode Block title xmlsectool xmlsectool --verifySignature --inFile ucdavis-metadata.xml --certificate inc-md-cert-mdq-beta-cert.pem.pem
https://www.aleksey.com/xmlsec/
Code Block title xmlsec1 xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor \ --pubkey-cert-pem inc-md-cert-mdq.pem ucdavis-metadata.xml