Updating U-M Federation Signing Certificate and Metadata

Your Service Provider (SP) uses metadata to provide single sign-on access to your service. To resolve unexpected login issues, you may need to download and install a new signing certificate for U-M Federation Metadata and update the SP configuration with the new certificate and new URLs for the metadata.

Verify the Type of Metadata Used by Your SP

If you do not know what type of metadata your SP uses, check your configuration files. You may need to check both your Production and Test environments, as your SP’s metadata may differ in those environments. The different types of metadata can be identified as follows.

InCommon metadata. If your SP's only source of metadata is the InCommon federation, you do not need to take action. InCommon federation metadata links:

  • http://md.incommon.org/InCommon/InCommon-metadata.xml
    or
  • http://md.incommon.org/InCommon/InCommon-metadata-idp-only.xml

Direct/static metadata. If your SP gets metadata directly from the Identity Provider (at https://shibboleth.umich.edu/idp/shibboleth) or uses a static copy of the Identity Provider (IdP) metadata, you do not need to take action.

U-M Federation Metadata. If your SP uses any of the following U-M Federation Metadata links, you will need to update your certificate and metadata links (as detailed in the next section of this document):

  • Production Environment
    • http://www.itcs.umich.edu/identity/shibboleth/UMich-metadata.xml
      or
    • https://shibboleth.umich.edu/md/UMich-metadata.xml
  • Test Environment
    • http://www.itcs.umich.edu/identity/shibboleth/UMich-TEST-metadata.xml
      or
      https://shibboleth.umich.edu/md/UMich-TEST-metadata.xml

Update Shibboleth SP That Uses U-M Federated Metadata

1. Download New Signing Certificate

Download the new signing certificate (umich-md-sign.pem):

https://shibboleth.umich.edu/md/umich-md-sign.pem

Save the new certificate in the Shibboleth configuration directory:

  • *NIX machines: This will probably be /etc/shibboleth.
  • Windows machines: This will probably be C:\opt\shibboleth\etc\shibboleth\.

2. Update Configuration File with New Certificate and Metadata URLs

Update the certificate name and metadata URLs in the definition in shibboleth2.xml as follows.

Example of Production XML that needs to be changed:

        <MetadataProvider type="XML"
uri="http://www.itcs.umich.edu/identity/shibboleth/UMich-metadata.xml"
             backingFilePath="UMich-metadata.xml" reloadInterval="7200">
            <MetadataFilter type="Signature" certificate="umwebCA.pem"/>
            <MetadataFilter type="Whitelist">
                <Include>https://shibboleth.umich.edu/idp/shibboleth</Include>
            </MetadataFilter>
        </MetadataProvider>

Change Production XML to:

        <MetadataProvider type="XML"
uri="https://shibboleth.umich.edu/md/umich-prod-idps.xml"
             backingFilePath="umich-prod-idps.xml" reloadInterval="7200">
            <MetadataFilter type="Signature" certificate="umich-md-sign.pem"/>
            <MetadataFilter type="Whitelist">
                <Include>https://shibboleth.umich.edu/idp/shibboleth</Include>
            </MetadataFilter>
        </MetadataProvider>

The old and new values are listed here:

Test Environment

  • Metadata URLs
    • Replace:
      http://www.itcs.umich.edu/identity/shibboleth/UMich-TEST-metadata.xml
      or
      https://shibboleth.umich.edu/md/UMich-TEST-metadata.xml
    • With:
      https://shibboleth.umich.edu/md/umich-nonprod-idps.xml.
  • Signing Certificate 
    • Replace:
      umwebCA.pem (the expiring certificate)
    • With:
      umich-md-sign.pem

Production Environment

  • Metadata URLs
    • Replace:
      http://www.itcs.umich.edu/identity/shibboleth/UMich-metadata.xml
      or
      https://shibboleth.umich.edu/md/UMich-metadata.xml
    • With:
      https://shibboleth.umich.edu/md/umich-prod-idps.xml
  • Signing Certificate
    • Replace:
      umwebCA.pem (the expiring certificate)
    • With:
      umich-md-sign.pem

3. Restart and Test

Restart your Service Provider application and test that people can log in to the Test environment. Then test the Production environment.

What Happens If the Certificate and Metadata are Not Updated

If the certificate and metadat are not updated, users attempting to log in to your Service Provider application will not be able to log in and will receive the following error message.

Unknown or Unusable Identity Provider

The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.

To report this problem, please contact the site administrator at root@localhost.

Please include the following error message in any email:

Identity provider lookup failed at (URL of your service provider)

EntityID: https://shibboleth.umich.edu/idp/shibboleth

opensaml::saml2md::MetadataException: Unable to locate metadata for identity provider (https://shibboleth.umich.edu/idp/shibboleth)

Tags: 
Last Updated: 
Thursday, September 20, 2018