Configuring the Shibboleth IdP to Load and Validate metadata
If you are using the IdP-Installer, this is automatically configured for you and you can skip this section.
Recommended reading and authoritative reference for IdP metadata configuration can be found here: https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration
Adding FIM Production Aggregates to the Shibboleth IdP
To add the FIM Production aggregates as trusted by your IdP after installation, edit ${idp.home}/conf/metadata-providers.xml file to add the following 2 MetadataProvider blocks – one for the Production Domestic Aggregate and one for the Production Inter-Federation Aggregate:
<MetadataProvider id="URLMD" xsi_type="FileBackedHTTPMetadataProvider"
metadataURL="https://caf-shib2ops.ca/CoreServices/caf_metadata_signed_sha256.xml"
backingFile="/opt/shibboleth-idp/metadata/caf_metadata_signed.xml"
maxRefreshDelay="PT1H">
<MetadataFilter xsi_type="SignatureValidation" requireSignedRoot="true"
certificateFile="/opt/shibboleth-idp/credentials/md-signer.crt"/>
</MetadataProvider>
<MetadataProvider id="URLMDCAFEdugain" xsi_type="FileBackedHTTPMetadataProvider"
metadataURL="https://caf-shib2ops.ca/CoreServices/caf_interfed_signed.xml"
backingFile="/opt/shibboleth-idp/metadata/caf_interfed_signed.xml"
maxRefreshDelay="PT1H">
<MetadataFilter xsi_type="SignatureValidation" requireSignedRoot="true"
certificateFile="/opt/shibboleth-idp/credentials/md-signer.crt"/>
</MetadataProvider>Adding FIM Test Aggregate to the Shibboleth IdP
To add the FIM Test aggregate as trusted by your IdP after installation, edit ${idp.home}/conf/metadata-providers.xml file to add this MetadataProvider block:
<MetadataProvider id="URLMDCAFTestbed" xsi_type="FileBackedHTTPMetadataProvider"
metadataURL="https://caf-shib2ops.ca/CoreServices/testbed/caf_test_fed_unsigned.xml"
backingFile="/opt/shibboleth-idp/metadata/caf_test_fed_unsigned.xml"
maxRefreshDelay="PT1H">
</MetadataProvider>Note that there is no signature verification on the Test Federation.