Enabling identity federation

• Home
• Info
• Downloads
• Docs
• Wiki
• Bugs
• PKI
• Registry

• GÉANT3

Sign eduGAIN metadata

Sign eduGAIN metadata

In order to sign and upload metadata, one approach could be:

1. Download the edugain metadata signing tools on a linux system where a JVM with Java >= 1.5 is installed and where you have an Java keystore file containing an eduGAIN FPP certificate (SCA certificate with URN).
2. Unzip archive with "unzip Edugain-metadata-signing.zip"
3. Make the script executable with "chmod a+x publish-metadata.sh"
4. Change permissions of publish-metadata.sh script with "chmod a+x publish-metadata.sh"
5. Adapt the configuration: The script assumes there are the three files Stable-BE.xml, Testing-BE.xml and Development-BE.xml in the current directory. Each of these files should contain an EntityDescriptor element for one BE. For a file that can be used as a basis, have a look at the bottom of the page.
6. Adapt the sample Example-MDS-Metadata.xml file to reflect the configuration of your Bridging Element(s)
7. Run "./publish-metadata.sh"

Example Metadata file

<source lang="xml">

 <?xml version="1.0"?>
 <md:EntityDescriptor ID="be.example.org" entityID="urn:geant:edugain:component:be:example:example.org" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 	<md:IDPSSODescriptor ID="stable-idp.example.org" protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:geant:edugain:protocol:1.0">
 		<md:KeyDescriptor use="signing">
 			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 				<ds:KeyName>example.org</ds:KeyName>
 				<ds:X509Data>
 					<ds:X509Certificate>
 MIIErzCCA5egAwIBAgIBejANBgkqhkiG9w0BAQUFADBBMRMwEQYKCZImiZPyLGQB
 GRMDbmV0MRUwEwYKCZImiZPyLGQBGRMFZ2VhbnQxEzARBgNVBAMTCmVkdUdBSU5T
 Q0EwHhcNMDgwNDE2MTMwOTQyWhcNMDkwNDE2MTMwOTQyWjBRMRMwEQYKCZImiZPy
 LGQBGRYDbmV0MRUwEwYKCZImiZPyLGQBGRYFZ2VhbnQxDzANBgNVBAoTBlNXSVRD
 SDESMBAGA1UEAxMJc3dpdGNoLmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
 CgKCAQEA6wHk3c50RiJqjCt/PJWBqLOMF87Ogx1bI0jN26RV7SOknU1ypyFxz4XB
 qTMgGU3bxG3r+6rNdz8LF1adbTpUtPfeept89D0pYA0F1t3QPw/JcClOnnhIccqO
 EEL5xBsSmr0bVAyl/T7hbJ2ET29zQWjSDS9h6NXq5fs94Mvh2m7XM2+oY0cbqC+Z
 F0Nx+hbmDPXcE6WSeuv5Tr9kakusZt1EYWqKKZL1zOZ06hDvMEoiskaPD/gD6Woj
 LdJRPXC5oPnLndh1tGTnPhrxuLEBMvwB1N9KpPtb7Y4fIPweLkqoEu4M6AGklz9Y
 wDyjFsi8iX34bAcRtJsko95SD81UgQIDAQABo4IBoDCCAZwwDAYDVR0TAQH/BAIw
 ADAdBgNVHQ4EFgQUkrcYJXfAM096gqEdBaweBFQqnV8wHwYDVR0jBBgwFoAUiw+P
 J4DSk9dGXZGEuy6YYq4E8dIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
 AQUFBwMBBggrBgEFBQcDAjCByAYDVR0RBIHAMIG9hlpodHRwczovL3JlZ2lzdHJ5
 LmVkdWdhaW4ub3JnL3Jlc29sdmVyP3Vybj11cm46Z2VhbnQ6ZWR1Z2Fpbjpjb21w
 b25lbnQ6ZnBwOnN3aXRjaDpzd2l0Y2guY2iGX2h0dHBzOi8vcmVnaXN0cnkuZWR1
 Z2Fpbi5vcmcvcmVzb2x2ZXI/dXJuPXVybjpnZWFudDplZHVnYWluOmNvbXBvbmVu
 dDpiZTpzd2l0Y2g6bWFjbGguc3dpdGNoLmNoMDUGA1UdHwQuMCwwKqAooCaGJGh0
 dHA6Ly9zY2EuZWR1Z2Fpbi5vcmcvY3JsL2NhY3JsLmRlcjAbBgNVHSAEFDASMBAG
 DisGAQQBgdR+AQwCAAAEMA0GCSqGSIb3DQEBBQUAA4IBAQB5wmBiSciWqoA/7o7J
 78JZs4Km5KVgw+LBHTiix5C1JcLHofDRVDCdOcjmXptbRNqSpuOwhe4FIdUWR9zy
 TzyolWSVdHMN5BJAILk2aYiVV8lpVz68sgHzJLKke2WugR8zEeQWBgqrQO9xjLSO
 u7NfNyVI9eSAtd9IeiZTiddfcbvFsWPdbnYgV6/ihcft7jZ7F/HsnKVYxJSPECCA
 lCf5+FKblvQ3U9z39ZncO28gO9fbBuzRkWULpkGO/Ou8GBe87QavBNnqVQnPs5Sm
 6dvfm/11StbrakVLHli3Tdpbi3LM5ALK7RyLZcHZlXoVsRK74FFWAVBT0yt5bbg0
 S2tw
 					</ds:X509Certificate>
 				</ds:X509Data>
 			</ds:KeyInfo>
 		</md:KeyDescriptor>
 		<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
 		<md:SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://edugain-login.example.org/ShiBE-H/WebSSORequestListener" />
 	</md:IDPSSODescriptor>
 	<md:AttributeAuthorityDescriptor ID="stable-aa.example.org" protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
 		<md:AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://edugain-login.example.org/ShiBE-H/SAMLSOAPReceiver" />
 		<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
 	</md:AttributeAuthorityDescriptor>
 	<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
 		<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
 		<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://edugain-login.example.org/ShiBE-R/WebSSOResponseListener" index="1" isDefault="true" />
 	</md:SPSSODescriptor>
 	<md:Organization>
 		<md:Extensions>
 			<egmd:HLPattern egmd:MatchingAlgo="urn:geant:edugain:metadata:homelocator:matching-algo:postfix" egmd:Type="HomeDomain" xmlns:egmd="urn:geant:edugain:metadata">example.org
 			</egmd:HLPattern>
 			<egmd:HLPattern egmd:MatchingAlgo="urn:geant:edugain:metadata:homelocator:matching-algo:postfix" egmd:Type="HomeDomain" xmlns:egmd="urn:geant:edugain:metadata">edugain-login.example.org</egmd:HLPattern>
 			<egmd:HLPattern egmd:MatchingAlgo="urn:geant:edugain:metadata:homelocator:matching-algo:exact" egmd:Type="Urn" xmlns:egmd="urn:geant:edugain:metadata">urn:geant:edugain:component:be:example:example.org</egmd:HLPattern>
 		</md:Extensions>
 		<md:OrganizationName xml:lang="en">example</md:OrganizationName>
 		<md:OrganizationDisplayName xml:lang="en">Example Organisation (Switzerland)</md:OrganizationDisplayName>
 		<md:OrganizationURL xml:lang="en">http://www.example.org</md:OrganizationURL>
 	</md:Organization>
 	<md:ContactPerson contactType="technical">
 		<md:GivenName>Johne</md:GivenName>
 		<md:SurName>Doe</md:SurName>
 		<md:EmailAddress>john.doe@example.org</md:EmailAddress>
 		<md:TelephoneNumber>+1 23 456 78 90</md:TelephoneNumber>
 	</md:ContactPerson>
 </md:EntityDescriptor>

</source>