Please, follow the instructions on the page at https://confluence.terena.org/display/aai/Service+Provider+Proxy


More specifically, add the following metadata provider to your "relying-party.xml" config file: ________________________________________________________________________________________ <metadata:MetadataProvider id="TERENAMD" xsi:type="metadata:FileBackedHTTPMetadataProvider" metadataURL="https://login.terena.org/wayf/module.php/saml/sp/metadata.php/default-sp" backingFile="/path/to/metadata/terena-metadata.xml"> <metadata:MetadataFilter xsi:type="metadata:ChainingFilter"> <metadata:MetadataFilter xsi:type="metadata:SignatureValidation" trustEngineRef="shibboleth.TERENAMetadataTrustEngine" requireSignedMetadata="true" /> <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList"> <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole> </metadata:MetadataFilter> </metadata:MetadataFilter> </metadata:MetadataProvider> ________________________________________________________________________________________ and trust engine (also to "relying-party.xml" config file): ________________________________________________________________________________________ <security:TrustEngine id="shibboleth.TERENAMetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature"> <security:Credential id="TERENAFederationCredential" xsi:type="security:X509Filesystem"> <security:Certificate>/path/to/credentials/terena.crt</security:Certificate> </security:Credential> </security:TrustEngine> ________________________________________________________________________________________ in order to load the TERENA metadata to your IdP.

Please, also download the TERENA certificate, in order to validate metadata's signature, from https://login.terena.org/wayf/sign.crt using wget (wget https://login.terena.org/wayf/sign.crt --no-check-certificate -o /path/to/credentials/terena.crt). Then, add the following filter to our "attribute-filter.xml" config file: ________________________________________________________________________________________ <afp:AttributeFilterPolicy id="https://terena.org/sp"> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://terena.org/sp" /> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy> ________________________________________________________________________________________ Reloaded your IdP in order to activate the additions.

Credits: Savvas Th. Anastasiades (Aristotle University of Thessaloniki)

  • No labels