107
szerkesztés
Módosítások
Új oldal, tartalma: „== Introduction == The Hungarian Research and Educational Federation is migrating to a new metadata signing certificate (HREF-2020). All HREF member and partner have…”
== Introduction ==
The Hungarian Research and Educational Federation is migrating to a new metadata signing certificate (HREF-2020).
All HREF member and partner have to update their IdP and SP configurations before 2022. January 1st., in order to provide the federational services without interruption. After 2022 January 1st., the old metadata signing certificate (HREF-2011) will be shut down.
The tables below and configuration examples are containing all the necessary technical information.
== Key Rollover ==
=== Code names ===
{| class="wikitable"
! Code name || Metadata signing certificate || Date of expiration
|-
|-
| HREF-2011 || style="text-align:center;" | [https://metadata.eduid.hu/certs/href-metadata-signer-2011.crt href-metadata-signer-2011.crt] || style="text-align:center;" | 2022.01.01.
|-
| HREF-2015 || style="text-align:center;" | [https://metadata.eduid.hu/certs/mdx-test-signer-2020.crt mdx-test-signer-2015.crt] || style="text-align:center;" | 2022.01.01.
|-
| HREF-2020 || style="text-align:center;" | [https://metadata.eduid.hu/certs/href-metadata-signer-2020.crt href-metadata-signer-2020.crt] || style="text-align:center;" | 2025.06.14.
|}
=== SHA1 fingerprints ===
{| class="wikitable"
! Code name || SHA1 fingerprint
|-
|-
| HREF-2011 || style="text-align:center;" | <code>FE:AE:0B:E8:FB:59:ED:F7:CB:7F:69:DF:19:4F:8B:6D:C7:F6:96:66</code>
|-
| HREF-2015 || style="text-align:center;" | <code>91:81:AD:2B:F1:C1:4E:47:93:A2:9D:49:34:B7:77:62:4F:2F:98:43</code>
|-
| HREF-2020 || style="text-align:center;" | <code>C3:72:DC:75:4C:FA:BA:65:63:52:D9:6B:47:5B:44:7E:AA:F6:45:61</code>
|}
=== Domain names ===
{| class="wikitable"
|-
! Domain || URL || Key || Status
|-
| rowspan="2" | metadata.eduid.hu || <code>metadata.eduid.hu/2011/href.xml</code> || HREF-2011 || style="text-align:center;" | Prod
|-
| <code>metadata.eduid.hu/2020/href.xml</code> || HREF-2020 || style="text-align:center;" | Prod
|-
| rowspan="2" | mdx.eduid.hu || <code>mdx-2015.eduid.hu</code> || HREF-2015 || style="text-align:center;" | Prod
|-
| <code>mdx-2020.eduid.hu</code> || HREF-2020 || style="text-align:center;" | Prod
|-
|}
== Shibboleth Service Provider Configurations ==
https://wiki.shibboleth.net/confluence/display/SP3/MetadataProvider
=== XML ===
https://wiki.shibboleth.net/confluence/display/SP3/XMLMetadataProvider
<syntaxhighlight lang="xml">
<MetadataProvider type="Chaining">
<MetadataProvider type="XML" id="href-2011" url="https://metadata.eduid.hu/2011/href.xml" backingFilePath="href-2011.xml">
<MetadataFilter type="Signature" certificate="href-metadata-signer-2011.crt"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000"/>
</MetadataProvider>
<MetadataProvider type="XML" id="href-2020" url="https://metadata.eduid.hu/2020/href.xml" backingFilePath="href-2020.xml">
<MetadataFilter type="Signature" certificate="href-metadata-signer-2020.crt"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000"/>
</MetadataProvider>
</MetadataProvider>
</syntaxhighlight>
=== MDX ===
==== Shibboleth 3.X ====
https://wiki.shibboleth.net/confluence/display/SP3/MDQMetadataProvider
<syntaxhighlight lang="xml">
<MetadataProvider type="MDQ" id="href-2015" ignoreTransport="true" baseUrl="https://mdx-2015.eduid.hu/">
<MetadataFilter type="Signature" certificate="mdx-test-signer-2015.crt"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000"/>
</MetadataProvider>
<MetadataProvider type="MDQ" id="href-2020" ignoreTransport="true" baseUrl="https://mdx-2020.eduid.hu/">
<MetadataFilter type="Signature" certificate="href-metadata-signer-2020.crt"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000"/>
</MetadataProvider>
</syntaxhighlight>
==== Shibboleth 2.X ====
<syntaxhighlight lang="xml">
<MetadataProvider type="Dynamic" id="href-2015" ignoreTransport="true">
<Subst>https://mdx-2015.eduid.hu/entities/$entityID</Subst>
<MetadataFilter type="Signature" certificate="mdx-test-signer-2015.crt"/>
</MetadataProvider>
<MetadataProvider type="Dynamic" id="href-2020" ignoreTransport="true">
<Subst>https://mdx-2020.eduid.hu/entities/$entityID</Subst>
<MetadataFilter type="Signature" certificate="href-metadata-signer-2020.crt"/>
</MetadataProvider>
</syntaxhighlight>
== Shibboleth Identity Provider Configurations ==
=== XML ===
==== Shibboleth 4.X ====
https://wiki.shibboleth.net/confluence/display/IDP4/FileBackedHTTPMetadataProvider
<syntaxhighlight lang="xml">
<MetadataProvider id="RemoteMetadataAggregate" xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/href-2020.xml"
metadataURL="https://metadata.eduid.hu/2020/href.xml">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/conf/metadata/href-metadata-signer-2020.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P9D"/>
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
</syntaxhighlight>
==== Shibboleth 3.X ====
https://wiki.shibboleth.net/confluence/display/IDP30/FileBackedHTTPMetadataProvider
<syntaxhighlight lang="xml">
<MetadataProvider id="RemoteMetadataAggregate" xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/href-2020.xml"
metadataURL="https://metadata.eduid.hu/2020/href.xml">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/conf/metadata/href-metadata-signer-2020.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P9D"/>
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
</syntaxhighlight>
=== MDX ===
==== Shibboleth 4.X ====
https://wiki.shibboleth.net/confluence/display/IDP4/DynamicHTTPMetadataProvider
<syntaxhighlight lang="xml">
<MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider"
connectionRequestTimeout="PT2S"
connectionTimeout="PT2S"
socketTimeout="PT4S">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/credentials/href-metadata-signer-2020.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P9D"/>
<MetadataQueryProtocol>https://mdx-2020.eduid.hu/</MetadataQueryProtocol>
</MetadataProvider>
</syntaxhighlight>
==== Shibboleth 3.X ====
https://wiki.shibboleth.net/confluence/display/IDP30/DynamicHTTPMetadataProvider
<syntaxhighlight lang="xml">
<MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider"
connectionRequestTimeout="PT2S"
connectionTimeout="PT2S"
socketTimeout="PT4S">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/credentials/href-metadata-signer-2020.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P9D"/>
<MetadataQueryProtocol>https://mdx-2020.eduid.hu/</MetadataQueryProtocol>
</MetadataProvider>
</syntaxhighlight>
== SimpleSAMLphp Configurations ==
=== MDX ===
<syntaxhighlight lang="php">
//config/config.php
'metadata.sources' => [
['type' => 'flatfile'], // ez a *-hosted metadata konfiguráció betöltése miatt szükséges
[
'type' => 'mdq',
'server' => 'https://mdx-2020.eduid.hu',
/* --- */
'validateFingerprint' => 'C3:72:DC:75:4C:FA:BA:65:63:52:D9:6B:47:5B:44:7E:AA:F6:45:61'
],
],
</syntaxhighlight>
=== metarefresh ===
https://simplesamlphp.org/docs/stable/simplesamlphp-maintenance#section_3
https://github.com/simplesamlphp/simplesamlphp-module-metarefresh/blob/master/docs/simplesamlphp-automated_metadata.md
<syntaxhighlight lang="php">
// config/config-metarefresh.php
$config = [
'sets' => [
'href-2011' => [
'cron' => ['hourly'],
'sources' => [
[
'src' => 'https://metadata.eduid.hu/2011/href.xml',
'validateFingerprint' => 'FE:AE:0B:E8:FB:59:ED:F7:CB:7F:69:DF:19:4F:8B:6D:C7:F6:96:66',
],
],
'expireAfter' => 777600, // 9 nap
'outputDir' => 'metadata/metarefresh-href-2011/',
'outputFormat' => 'flatfile',
],
'href-2020' => [
'cron' => ['hourly'],
'sources' => [
[
'src' => 'https://metadata.eduid.hu/2020/href.xml',
'validateFingerprint' => 'C3:72:DC:75:4C:FA:BA:65:63:52:D9:6B:47:5B:44:7E:AA:F6:45:61',
],
],
'expireAfter' => 777600, // 9 nap.
'outputDir' => 'metadata/metarefresh-href-2020/',
'outputFormat' => 'flatfile',
],
],
];
</syntaxhighlight>
<syntaxhighlight lang="php">
// config/config.php
'metadata.sources' => [
['type' => 'flatfile'],
['type' => 'flatfile', 'directory' => 'metadata/metarefresh-href-2011'],
['type' => 'flatfile', 'directory' => 'metadata/metarefresh-href-2020'],
],
</syntaxhighlight>
The Hungarian Research and Educational Federation is migrating to a new metadata signing certificate (HREF-2020).
All HREF member and partner have to update their IdP and SP configurations before 2022. January 1st., in order to provide the federational services without interruption. After 2022 January 1st., the old metadata signing certificate (HREF-2011) will be shut down.
The tables below and configuration examples are containing all the necessary technical information.
== Key Rollover ==
=== Code names ===
{| class="wikitable"
! Code name || Metadata signing certificate || Date of expiration
|-
|-
| HREF-2011 || style="text-align:center;" | [https://metadata.eduid.hu/certs/href-metadata-signer-2011.crt href-metadata-signer-2011.crt] || style="text-align:center;" | 2022.01.01.
|-
| HREF-2015 || style="text-align:center;" | [https://metadata.eduid.hu/certs/mdx-test-signer-2020.crt mdx-test-signer-2015.crt] || style="text-align:center;" | 2022.01.01.
|-
| HREF-2020 || style="text-align:center;" | [https://metadata.eduid.hu/certs/href-metadata-signer-2020.crt href-metadata-signer-2020.crt] || style="text-align:center;" | 2025.06.14.
|}
=== SHA1 fingerprints ===
{| class="wikitable"
! Code name || SHA1 fingerprint
|-
|-
| HREF-2011 || style="text-align:center;" | <code>FE:AE:0B:E8:FB:59:ED:F7:CB:7F:69:DF:19:4F:8B:6D:C7:F6:96:66</code>
|-
| HREF-2015 || style="text-align:center;" | <code>91:81:AD:2B:F1:C1:4E:47:93:A2:9D:49:34:B7:77:62:4F:2F:98:43</code>
|-
| HREF-2020 || style="text-align:center;" | <code>C3:72:DC:75:4C:FA:BA:65:63:52:D9:6B:47:5B:44:7E:AA:F6:45:61</code>
|}
=== Domain names ===
{| class="wikitable"
|-
! Domain || URL || Key || Status
|-
| rowspan="2" | metadata.eduid.hu || <code>metadata.eduid.hu/2011/href.xml</code> || HREF-2011 || style="text-align:center;" | Prod
|-
| <code>metadata.eduid.hu/2020/href.xml</code> || HREF-2020 || style="text-align:center;" | Prod
|-
| rowspan="2" | mdx.eduid.hu || <code>mdx-2015.eduid.hu</code> || HREF-2015 || style="text-align:center;" | Prod
|-
| <code>mdx-2020.eduid.hu</code> || HREF-2020 || style="text-align:center;" | Prod
|-
|}
== Shibboleth Service Provider Configurations ==
https://wiki.shibboleth.net/confluence/display/SP3/MetadataProvider
=== XML ===
https://wiki.shibboleth.net/confluence/display/SP3/XMLMetadataProvider
<syntaxhighlight lang="xml">
<MetadataProvider type="Chaining">
<MetadataProvider type="XML" id="href-2011" url="https://metadata.eduid.hu/2011/href.xml" backingFilePath="href-2011.xml">
<MetadataFilter type="Signature" certificate="href-metadata-signer-2011.crt"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000"/>
</MetadataProvider>
<MetadataProvider type="XML" id="href-2020" url="https://metadata.eduid.hu/2020/href.xml" backingFilePath="href-2020.xml">
<MetadataFilter type="Signature" certificate="href-metadata-signer-2020.crt"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000"/>
</MetadataProvider>
</MetadataProvider>
</syntaxhighlight>
=== MDX ===
==== Shibboleth 3.X ====
https://wiki.shibboleth.net/confluence/display/SP3/MDQMetadataProvider
<syntaxhighlight lang="xml">
<MetadataProvider type="MDQ" id="href-2015" ignoreTransport="true" baseUrl="https://mdx-2015.eduid.hu/">
<MetadataFilter type="Signature" certificate="mdx-test-signer-2015.crt"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000"/>
</MetadataProvider>
<MetadataProvider type="MDQ" id="href-2020" ignoreTransport="true" baseUrl="https://mdx-2020.eduid.hu/">
<MetadataFilter type="Signature" certificate="href-metadata-signer-2020.crt"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000"/>
</MetadataProvider>
</syntaxhighlight>
==== Shibboleth 2.X ====
<syntaxhighlight lang="xml">
<MetadataProvider type="Dynamic" id="href-2015" ignoreTransport="true">
<Subst>https://mdx-2015.eduid.hu/entities/$entityID</Subst>
<MetadataFilter type="Signature" certificate="mdx-test-signer-2015.crt"/>
</MetadataProvider>
<MetadataProvider type="Dynamic" id="href-2020" ignoreTransport="true">
<Subst>https://mdx-2020.eduid.hu/entities/$entityID</Subst>
<MetadataFilter type="Signature" certificate="href-metadata-signer-2020.crt"/>
</MetadataProvider>
</syntaxhighlight>
== Shibboleth Identity Provider Configurations ==
=== XML ===
==== Shibboleth 4.X ====
https://wiki.shibboleth.net/confluence/display/IDP4/FileBackedHTTPMetadataProvider
<syntaxhighlight lang="xml">
<MetadataProvider id="RemoteMetadataAggregate" xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/href-2020.xml"
metadataURL="https://metadata.eduid.hu/2020/href.xml">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/conf/metadata/href-metadata-signer-2020.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P9D"/>
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
</syntaxhighlight>
==== Shibboleth 3.X ====
https://wiki.shibboleth.net/confluence/display/IDP30/FileBackedHTTPMetadataProvider
<syntaxhighlight lang="xml">
<MetadataProvider id="RemoteMetadataAggregate" xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/href-2020.xml"
metadataURL="https://metadata.eduid.hu/2020/href.xml">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/conf/metadata/href-metadata-signer-2020.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P9D"/>
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
</syntaxhighlight>
=== MDX ===
==== Shibboleth 4.X ====
https://wiki.shibboleth.net/confluence/display/IDP4/DynamicHTTPMetadataProvider
<syntaxhighlight lang="xml">
<MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider"
connectionRequestTimeout="PT2S"
connectionTimeout="PT2S"
socketTimeout="PT4S">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/credentials/href-metadata-signer-2020.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P9D"/>
<MetadataQueryProtocol>https://mdx-2020.eduid.hu/</MetadataQueryProtocol>
</MetadataProvider>
</syntaxhighlight>
==== Shibboleth 3.X ====
https://wiki.shibboleth.net/confluence/display/IDP30/DynamicHTTPMetadataProvider
<syntaxhighlight lang="xml">
<MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider"
connectionRequestTimeout="PT2S"
connectionTimeout="PT2S"
socketTimeout="PT4S">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/credentials/href-metadata-signer-2020.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P9D"/>
<MetadataQueryProtocol>https://mdx-2020.eduid.hu/</MetadataQueryProtocol>
</MetadataProvider>
</syntaxhighlight>
== SimpleSAMLphp Configurations ==
=== MDX ===
<syntaxhighlight lang="php">
//config/config.php
'metadata.sources' => [
['type' => 'flatfile'], // ez a *-hosted metadata konfiguráció betöltése miatt szükséges
[
'type' => 'mdq',
'server' => 'https://mdx-2020.eduid.hu',
/* --- */
'validateFingerprint' => 'C3:72:DC:75:4C:FA:BA:65:63:52:D9:6B:47:5B:44:7E:AA:F6:45:61'
],
],
</syntaxhighlight>
=== metarefresh ===
https://simplesamlphp.org/docs/stable/simplesamlphp-maintenance#section_3
https://github.com/simplesamlphp/simplesamlphp-module-metarefresh/blob/master/docs/simplesamlphp-automated_metadata.md
<syntaxhighlight lang="php">
// config/config-metarefresh.php
$config = [
'sets' => [
'href-2011' => [
'cron' => ['hourly'],
'sources' => [
[
'src' => 'https://metadata.eduid.hu/2011/href.xml',
'validateFingerprint' => 'FE:AE:0B:E8:FB:59:ED:F7:CB:7F:69:DF:19:4F:8B:6D:C7:F6:96:66',
],
],
'expireAfter' => 777600, // 9 nap
'outputDir' => 'metadata/metarefresh-href-2011/',
'outputFormat' => 'flatfile',
],
'href-2020' => [
'cron' => ['hourly'],
'sources' => [
[
'src' => 'https://metadata.eduid.hu/2020/href.xml',
'validateFingerprint' => 'C3:72:DC:75:4C:FA:BA:65:63:52:D9:6B:47:5B:44:7E:AA:F6:45:61',
],
],
'expireAfter' => 777600, // 9 nap.
'outputDir' => 'metadata/metarefresh-href-2020/',
'outputFormat' => 'flatfile',
],
],
];
</syntaxhighlight>
<syntaxhighlight lang="php">
// config/config.php
'metadata.sources' => [
['type' => 'flatfile'],
['type' => 'flatfile', 'directory' => 'metadata/metarefresh-href-2011'],
['type' => 'flatfile', 'directory' => 'metadata/metarefresh-href-2020'],
],
</syntaxhighlight>
