|
|
(5 intermediate revisions by 3 users not shown) |
Line 1: |
Line 1: |
| | {{New Docs}} |
| | |
| If you just want your Shibboleth SP to be able to authenticate people from the University using Raven then you only need to supply your SP with metadata describing the Shibboleth IdP provided by Raven (on the other hand, if you want to be able to identify people from all the members of the UK federation then you need a different, bigger, set of metadata). | | If you just want your Shibboleth SP to be able to authenticate people from the University using Raven then you only need to supply your SP with metadata describing the Shibboleth IdP provided by Raven (on the other hand, if you want to be able to identify people from all the members of the UK federation then you need a different, bigger, set of metadata). |
|
| |
|
| In due course you'll be able to automatically access a signed metadata file describing the Raven IdP, but in the meantime here's a copy. Store it in a file called ucamfederation-idp-metadata.xml inside the same directory as the main shibboleth2.xml configuration file. Be careful not to corrupt or reformat this file when extracting it from this page - wikis are not the best vehicle for software distribution.
| | This Raven metadata can be collected from |
| | |
| <pre><nowiki>
| |
| <!--
| |
| Ucam federation IdP metadata
| |
| -->
| |
| <EntitiesDescriptor
| |
| xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
| |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
| |
| xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata sstc-saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2001/04/xmlenc# xenc-schema.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"
| |
| Name="https://shib.raven.cam.ac.uk/ucamfederation/" >
| |
| | |
| <Extensions>
| |
| <shibmeta:KeyAuthority
| |
| xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
| |
| VerifyDepth="3">
| |
| | |
| <!--
| |
| The KeyAuthority element's VerifyDepth attribute must be at least as
| |
| large as the verification depth required by each root certificate
| |
| below.
| |
| -->
| |
|
| |
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| |
| | |
| <!--
| |
| GTE CyberTrust Global Root
| |
| * CN=GTE CyberTrust Global Root,
| |
| OU=GTE CyberTrust Solutions, Inc.,
| |
| O=GTE Corporation, C=US
| |
| | |
| This is used to sign:
| |
| | |
| * CN=Cybertrust Educational CA, OU=Educational CA,
| |
| O=Cybertrust, C=BE
| |
| | |
| This in turn is used to sign SureServer EDU end certificates.
| |
|
| |
| One intermediate CA below the root, so requires a verification
| |
| depth of at least 2.
| |
| | |
| Validity
| |
| Not Before: Aug 13 00:29:00 1998 GMT
| |
| Not After : Aug 13 23:59:00 2018 GMT
| |
| -->
| |
| <ds:X509Data>
| |
| <ds:X509Certificate>MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
| |
| VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
| |
| bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
| |
| b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
| |
| UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
| |
| cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
| |
| b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
| |
| iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
| |
| r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
| |
| 04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
| |
| GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
| |
| 3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
| |
| lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
| |
| </ds:X509Certificate>
| |
| </ds:X509Data>
| |
| </ds:KeyInfo>
| |
| </shibmeta:KeyAuthority>
| |
| </Extensions>
| |
|
| |
| <EntityDescriptor entityID="https://shib.raven.cam.ac.uk/shibboleth">
| |
| | |
| <Extensions>
| |
| <shibmeta:Scope
| |
| xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
| |
| regexp="false">cam.ac.uk</shibmeta:Scope>
| |
| <shibmeta:Scope
| |
| xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
| |
| regexp="false">eresources.lib.cam.ac.uk</shibmeta:Scope>
| |
| </Extensions>
| |
| | |
| <IDPSSODescriptor
| |
| protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
| |
| <Extensions>
| |
| <shibmeta:Scope
| |
| xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
| |
| regexp="false">cam.ac.uk</shibmeta:Scope>
| |
| <shibmeta:Scope
| |
| xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
| |
| regexp="false">eresources.lib.cam.ac.uk</shibmeta:Scope>
| |
| </Extensions>
| |
| <KeyDescriptor use="signing">
| |
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| |
| <ds:KeyName>shib.raven.cam.ac.uk</ds:KeyName>
| |
| </ds:KeyInfo>
| |
| </KeyDescriptor>
| |
| <ArtifactResolutionService
| |
| Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
| |
| Location="https://shib.raven.cam.ac.uk:8443/shibboleth-idp/Artifact"
| |
| index="1"></ArtifactResolutionService>
| |
| <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
| |
| <SingleSignOnService
| |
| Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
| |
| Location="https://shib.raven.cam.ac.uk/shibboleth-idp/SSO"></SingleSignOnService>
| |
| </IDPSSODescriptor>
| |
| | |
| <AttributeAuthorityDescriptor
| |
| protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
| |
| <Extensions>
| |
| <shibmeta:Scope
| |
| xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
| |
| regexp="false">cam.ac.uk</shibmeta:Scope>
| |
| <shibmeta:Scope
| |
| xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
| |
| regexp="false">eresources.lib.cam.ac.uk</shibmeta:Scope>
| |
| </Extensions>
| |
| <KeyDescriptor use="signing">
| |
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| |
| <ds:KeyName>shib.raven.cam.ac.uk</ds:KeyName>
| |
| </ds:KeyInfo>
| |
| </KeyDescriptor>
| |
| <AttributeService
| |
| Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
| |
| Location="https://shib.raven.cam.ac.uk:8443/shibboleth-idp/AA"></AttributeService>
| |
| <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
| |
| </AttributeAuthorityDescriptor>
| |
| | |
| <Organization>
| |
| <OrganizationName
| |
| xml:lang="en">University of Cambridge</OrganizationName>
| |
| <OrganizationDisplayName
| |
| xml:lang="en">University of Cambridge (pilot)</OrganizationDisplayName>
| |
| <OrganizationURL
| |
| xml:lang="en">http://www.cam.ac.uk/</OrganizationURL>
| |
| </Organization>
| |
| | |
| <ContactPerson contactType="support">
| |
| <GivenName>Raven Support</GivenName>
| |
| <EmailAddress>mailto:raven-support@ucs.cam.ac.uk</EmailAddress>
| |
| </ContactPerson>
| |
| | |
| <ContactPerson contactType="technical">
| |
| <GivenName>Jon</GivenName>
| |
| <SurName>Warbrick</SurName>
| |
| <EmailAddress>mailto:jw35@cam.ac.uk</EmailAddress>
| |
| </ContactPerson>
| |
| | |
| <ContactPerson contactType="administrative">
| |
| <GivenName>Jon</GivenName>
| |
| <SurName>Warbrick</SurName>
| |
| <EmailAddress>mailto:jw35@cam.ac.uk</EmailAddress>
| |
| </ContactPerson>
| |
|
| |
|
| </EntityDescriptor>
| | https://shib.raven.cam.ac.uk/ucamfederation-idp2-metadata.xml |
|
| |
|
| </EntitiesDescriptor> | | The [[Shibboleth2.xml - internal use skeleton|internal use example shibboleth.xml file]] configures <tt>shibd</tt> to automatically load this data over the network and to cache it locally. |
|
| |
|
| </nowiki></pre>
| | In due course this file might be signed. |