References

https://spaces.at.internet2.edu/display/MDQ

https://spaces.at.internet2.edu/display/MDQ/Production+metadata+signing+key

Note

First choice is to use InCommon's Metadata Query (MDQ) service to load and manage SAML metadata for the UC Davis IdP. Use the procedure below only when the SAML SP software is incapable of dynamically consuming metadata from a remote source.

https://spaces.at.internet2.edu/display/MDQ/Configure+Shibboleth+service+provider

https://kantarainitiative.github.io/SAMLprofiles/saml2int.html

Procedure

  1. Download a copy of the InCommon MDQ signing certificate. Verify its fingerprint.

    curl -O http://md.incommon.org/certs/inc-md-cert-mdq.pem
openssl x509 -sha1 -noout -fingerprint -in inc-md-cert-mdq.pem
SHA1 Fingerprint=F8:4E:F8:47:EF:BB:EE:47:86:32:DB:94:17:8A:31:A6:94:73:19:36


  2. Fetch the UC Davis IdP metadata (SAML entity ID urn:mace:incommon:ucdavis.edu).

    curl --silent --output ucdavis-metadata.xml \
        http://mdq.incommon.org/entities/urn%3Amace%3Aincommon%3Aucdavis.edu


  3. Validate the XML signature. Note: several other ways to verify the digital signature on an XML document exist, as well, cf. Google search.

    https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+Home

    xmlsectool --verifySignature --inFile ucdavis-metadata.xml --certificate inc-md-cert-mdq.pem

    https://www.aleksey.com/xmlsec/

    xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor \
        --pubkey-cert-pem inc-md-cert-mdq.pem ucdavis-metadata.xml