UK federation metadata configuration
The UK federation metadata is required for the IdP to validate UK federation service providers (SPs), and for the SPs to validate IdPs. It contains SAML metadata for all registered UK federation IdP and SP deployments; and also IdPs and SPs from other federations throughout the world. The UK federation now recommends using Metadata Query (MDQ) in preference to the UK federation metadata aggregate, which has grown very large due to growing UK federation membership; and the import of entities from other federations via eduGAIN interfederation.
We provide configuration information here for both of those options; full details about metadata configuration for the Shibboleth IdP software are provided in the Shibboleth IdP wiki.
You should choose ONE out of the two following metadata configuration options, NOT both.
Metadata Query (MDQ) configuration (recommended)
This is the UK federation MDQ URL:
To secure against compromise, metadata from the UK federation MDQ URL is signed using a private key belonging to the UK federation, and the corresponding public key must be used to verify the signature. Note that a different signing key is used to sign MDQ metadata from that which is used to sign the metadata aggregates. The MDQ public key is available at this URL in the form of a self-signed X509 certificate:
The certificate is required in the IdP configuration so that it can be used to verify the signature on the UK federation metadata. It needs to be downloaded and saved to the %{idp.home/credentials} directory.
However, as this certificate secures the entire UK Federation, you should not rely on it until you have checked its authenticity. To do this, you should verify the certificate's SHA-256 fingerprint. You can use this openssl command to find out the SHA-256 fingerprint of the certificate that you have downloaded:
openssl x509 -sha256 -fingerprint -noout -in ukfederation-mdq.pem
To verify it you need to compare the resulting value with the correct fingerprint value, which can be obtained from the UK federation team. To guard against the possibility of this web site being compromised, you should contact them by telephone. Their phone number can be found on the UK federation helpdesk contact information page.
Configuration of MDQ in metadata-providers.xml
Having downloaded the UK federation MDQ signing certificate and verified its authenticity as described above, configure the IdP to use the MDQ metadata by adding the following MetadataProvider element to %{idp.home}/conf/metadata-providers.xml. There are comments in the default file distributed with the IdP that describe where this element should be placed.
<!-- UK federation MDQ service -->
<MetadataProvider id="UKfederationMDQ" xsi:type="DynamicHTTPMetadataProvider">
<!-- Verify the signature on the root element (i.e., the EntityDescriptor element) -->
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/credentials/ukfederation-mdq.pem" />
<!-- Require a validUntil XML attribute no more than 30 days into the future -->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D" />
<!-- The MetadataQueryProtocol element specifies the base URL for the query protocol -->
<MetadataQueryProtocol>http://mdq.ukfederation.org.uk/</MetadataQueryProtocol>
</MetadataProvider>
Standard metadata aggregate configuration
In case for some reason you cannot use MDQ as above, we provide configuration details here for the standard production UK federation metadata aggregate. It is available at this URL:
To secure against compromise, the UK federation metadata is signed using the UK federation's private key, and the corresponding public key must be used to verify the signature. Note that a different signing key is used to sign the metadata aggregates from that which is used to sign MDQ metadata. The public key for the metadata aggregates is available at this URL in the form of a self-signed X509 certificate:
The certificate is required in the IdP configuration so that it can be used to verify the signature on the UK federation metadata. It needs to be downloaded and saved to the %{idp.home/credentials} directory.
However, as this certificate secures the entire UK Federation, you should not rely on it until you have checked its authenticity. To do this, you should verify the certificate's SHA-256 fingerprint. You can use this openssl command to find out the SHA-256 fingerprint of the certificate that you have downloaded:
openssl x509 -sha256 -fingerprint -noout -in ukfederation.pem
To verify it you need to compare the resulting value with the correct fingerprint value, which can be obtained from the UK federation team. To guard against the possibility of this web site being compromised, you should contact them by telephone. Their phone number can be found on the UK federation helpdesk contact information page.
Configuration of metadata aggregate in metadata-providers.xml
Having downloaded the UK federation aggregate signing certificate and verified its authenticity as described above, configure the IdP to use the aggregate metadata by editing %{idp.home}/conf/metadata-providers.xml and adding the following MetadataProvider element. There are comments in the default file distributed with the IdP that describe where this element should be placed, and there are two example configuration elements.
<!-- UK federation metadata aggregate -->
<MetadataProvider id="UKfederationMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/ukfederation-metadata.xml"
metadataURL="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"
failFastInitialization="false">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/credentials/ukfederation.pem" />
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
<MetadataFilter xsi:type="SchemaValidation"/>
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>