InCommon Federation Metadata Config for Shibboleth IdP V3

We have been helping customers upgrade from Shibboleth IdP 2.x to V3, and we wanted to highlight some common configuration questions we have received.

If you want to configure your Shibboleth IdP V3 to participate in the InCommon Federation, you need to add some configuration to your metadata-providers.xml file that may not directly translate from your Shibboleth 2.x configuration.

First, make sure that you have downloaded and verified InCommon’s metadata signing cert and copied the signing cert to your ${idp.home}/credentials/ directory.

Next, edit your metadata-providers.xml file and add the following code before the closing </MetadataProvider> tag.

<MetadataProvider id="ICMetadata"xsi:type="FileBackedHTTPMetadataProvider" refreshDelayFactor="0.125" maxRefreshDelay="PT2H" httpCaching="memory"
backingFile="%{idp.home}/metadata/incommon-metadata.xml" metadataURL="http://md.incommon.org/InCommon/InCommon-metadata.xml">

  <MetadataFilter xsi:type="SignatureValidation" certificateFile="${idp.home}/credentials/inc-md-cert.pem" requireSignedMetadata="false">
</MetadataFilter>
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

Contact us if you need help planning your Shibboleth IdP 2.x to V3 upgrade.