Page tree
Skip to end of metadata
Go to start of metadata

The SignatureValidation filter verifies that a metadata instance is signed correctly with a trusted key, and is the linchpin of the security of most Shibboleth deployments.

There are four approaches to supplying the trust policy to the filter:

  • A pointer to a certificate file
  • A reference to an externally defined TrustEngine bean
  • An inline <PublicKey> element
  • An inline <security:TrustEngine> element

Schema and Namespaces

This element is defined in the urn:mace:shibboleth:2.0:metadata namespace, the schema for which is located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd

If present, the <security:TrustEngine> element is defined in the urn:mace:shibboleth:2.0:security namespace, the schema for which is located at http://shibboleth.net/schema/idp/shibboleth-security.xsd

Reference

Attributes

NameTypeDefaultDescription

requireSignedRoot 3.2

BooleantrueIf true, this fails to load metadata with no signature on the root XML element

requireSignedMetadata

Booleantrue

(DEPRECATED) Old version of requireSignedRoot

certificateFile

File

Path to a certificate file whose key is used to verify the signature.
Conflicts with trustEngineRef and both of the child elements.

defaultCriteriaRef

Bean Reference

shibboleth.MetadataSignatureValidationStaticCriteria

The ID of an externally defined CriteriaSet used as input the to the trust engine, not generally used

signaturePrevalidatorRef

Bean ReferenceSAMLSignatureProfileValidatorThe ID of an externally defined SignaturePrevalidator. Used to perform pre-validation of an XML Signature, for example to validate that the signature confirms to a particular profile of XML Signature.

dynamicTrustedNamesStrategyRef

Bean ReferenceBasicDynamicTrustedNamesStrategyThe ID of an externally defined Function<XMLObject, Set<String>>. This will be used to extract dynamic trusted names from signed metadata elements

trustEngineRef

Bean Reference
The ID of a <security:TrustEngine> defined somewhere else in the configuration.
Conflicts with certificateFile and both of the child elements.

Child Elements

One of the following two child elements may be configured. Their use conflicts with the certificateFile and trustEngineRef XML attributes.

NameDescription

<PublicKey>

A PEM-format public key.

You can obtain a public key from a certificate using a command such as:

$ openssl x509 -pubkey -in cert.pem -noout

<security:TrustEngine>

A trust engine plugin that defines how the signature is to be checked

Examples

Externally specified certificate file
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="${idp.home}/credentials/signer.pem"/>
Inline key
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
  <PublicKey>
    MIIBI.....
  </PublicKey>
</MetadataFilter>
Metadata Provider with inline trust engine
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true">
    <security:TrustEngine id="SignerTrustEngine" xsi:type="security:StaticExplicitKeySignature">
        <security:Credential id="SignerCredential" xsi:type="security:X509Filesystem">
            <security:Certificate>${idp.home}/credentials/signer.pem</security:Certificate>
        </security:Credential>
    </security:TrustEngine>
</MetadataFilter>
  • No labels