SignatureValidation filter verifies that a metadata instance is signed correctly with a trusted key, and is the linchpin of the security of most Shibboleth deployments.
There are four approaches to supplying the trust policy to the filter:
- A pointer to a certificate file
- A reference to an externally defined TrustEngine bean
- An inline
- An inline
Filter order is important!
<MetadataFilter> element and the type
SignatureValidation are defined by the
urn:mace:shibboleth:2.0:metadata schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.
<security:TrustEngine> element is defined in the
urn:mace:shibboleth:2.0:security namespace, the schema for which is located at http://shibboleth.net/schema/idp/shibboleth-security.xsd
|Boolean||true||If true, this fails to load metadata with no signature on the root XML element.|
(DEPRECATED) Old version of
Path to a certificate file whose key is used to verify the signature.
|The ID of an externally defined CriteriaSet used as input the to the trust engine, not generally used.|
|Bean Reference||SAMLSignatureProfileValidator||The ID of an externally defined SignaturePrevalidator. Used to perform pre-validation of an XML Signature, for example to validate that the signature conforms to a particular profile of XML Signature.|
|Bean Reference||BasicDynamicTrustedNamesStrategy||The ID of an externally defined Function<XMLObject, Set<String>>. This will be used to extract dynamic trusted names from signed metadata elements.|
|Bean Reference||The ID of a |
One of the following two child elements may be configured. Their use conflicts with the
trustEngineRef XML attributes.
A PEM-format public key.
You can obtain a public key from a certificate using a command such as:
|A trust engine plugin that defines how the signature is to be checked|