Obtaining a Trusted Copy of the UC Davis IdP SAML Metadata
References
https://spaces.at.internet2.edu/display/MDQ
https://spaces.at.internet2.edu/display/MDQ/Production+metadata+signing+key
Note
First choice is to use InCommon's Metadata Query (MDQ) service to load and manage SAML metadata for the UC Davis IdP. Use the procedure below only when the SAML SP software is incapable of dynamically consuming metadata from a remote source.
https://spaces.at.internet2.edu/display/MDQ/Configure+Shibboleth+service+provider
https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
Procedure
Download a copy of the InCommon MDQ signing certificate. Verify its fingerprint.
curl -O http://md.incommon.org/certs/inc-md-cert-mdq.pem openssl x509 -sha1 -noout -fingerprint -in inc-md-cert-mdq.pem SHA1 Fingerprint=F8:4E:F8:47:EF:BB:EE:47:86:32:DB:94:17:8A:31:A6:94:73:19:36
Fetch the UC Davis IdP metadata (SAML entity ID
urn:mace:incommon:ucdavis.edu
).curl --silent --output ucdavis-metadata.xml \ http://mdq.incommon.org/entities/urn%3Amace%3Aincommon%3Aucdavis.edu
Validate the XML signature. Note: several other ways to verify the digital signature on an XML document exist, as well, cf. Google search.
https://wiki.shibboleth.net/confluence/display/XSTJ2/xmlsectool+V2+Homexmlsectoolxmlsectool --verifySignature --inFile ucdavis-metadata.xml --certificate inc-md-cert-mdq.pem
https://www.aleksey.com/xmlsec/
xmlsec1xmlsec1 --verify --id-attr:ID urn:oasis:names:tc:SAML:2.0:metadata:EntityDescriptor \ --pubkey-cert-pem inc-md-cert-mdq.pem ucdavis-metadata.xml