UK federation metadata configuration

Metadata services

The UK federation metadata is required for the IdP to validate UK federation service providers (SPs), and for the SPs to validate IdPs. It contains SAML metadata for all registered UK federation IdP and SP deployments. The UK federation provide two metadata services, which can be used interchangeably.

  1. UK federation metadata query (MDQ)
  2. UK federation metadata aggregate

Existing IdP and SP deployments will utilise the metadata aggregate, but we recommend that new IdP deployments utilise the metadata query (MDQ) service.

You should review the following sections of our MDQ documentation;

Metadata signing certificate

To secure against compromise, the UK federation metadata is signed using the UK federation's private key, and the corresponding public key must be used to verify the signature.

Note: that we use a different private key to sign the metadata aggregate and the metadata query service, therefore you will require the corresponding public key for the service that you choose to use, these are provided in the form of a self-signed X509 certificate.

The public key for the UK federation metadata query can be found at;

The public key for the UK federation metadata aggregate can be found at;

The certificate is required in the IdP configuration so that it can be used to verify the signature of the UK federation metadata. It needs to be downloaded and saved to the %{idp.home/credentials} directory.

However, as this certificate secures the entire UK Federation, you should not rely on it until you have checked its authenticity. To do this, you should verify the certificate's SHA-256 fingerprint, please refer to our page on Certificate Verification

To verify it you need to compare the resulting value with the correct fingerprint value, which can be obtained from the UK federation team. To guard against the possibility of this web site being compromised, you should contact them by telephone. Their phone number can be found on the UK federation helpdesk contact information page.

Configuration in metadata-providers.xml

After you have downloaded the UK federation signing certificate and verified its authenticity as described above, you configure the IdP to use the UK federation metadata by editing %{idp.home}/conf/metadata-providers.xml and adding a MetadataProvider element. The configuration example will depend on which Metadata service you plan to use

    <!-- UK federation MDQ service -->
    <MetadataProvider id="ukfMDQ" xsi:type="DynamicHTTPMetadataProvider">
        <!-- Verify the signature on the root element (i.e., the EntityDescriptor element) -->
        <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
                certificateFile="%{idp.home}/credentials/ukfederation-mdq.pem" />

        <!-- Require a validUntil XML attribute no more than 30 days into the future -->
        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D" />

        <!-- The MetadataQueryProtocol element specifies the base URL for the query protocol -->