Shibboleth SPs (All versions)

The following steps need to be performed on both the Test and Production version of your service.

  • Change the location which you use to download the metadata.
  • Load the new Metadata Signing certificate.
  • Verify everything is working.

Step 1: Change the location which you use to download the metadata

Edit the file shibboleth2.xml

Search for MetadataProvider. Within there will be a uri that will contain a URL to the metadata file you are currently downloading, something similar to "https://ds.[test]".

Replace this URL with;

AAF Test environment use:

    AAF Production environment use:


Step 2: Load the new metadata Signing certificate

The new metadata needs to be verified after your SP downloads it. This ensures that it has not changed in transit across the Internet.

In this step you will be replacing the old metadata signing certificate with a new one. The location of the old metadata signing certificate will be found in the same MetadataProvider section of the  shibboleth2.xml file, just look for the certificate element. This will tell you the name file of the signing certificate file. If only a file name is shown the the file will be in the same directory as the shibboleth2.xml file.

Download the new federation signing key. We are now using the same signing key for both the Test and Production federations. It is available at:

Use the downloaded file to replace the file you found above.

To confirm that you have obtained the correct key ensure the file you have downloaded conforms to the following:

$> openssl x509 -subject -dates -fingerprint -in aaf-metadata-certificate.pem

         subject= /O=Australian Access Federation/CN=AAF Metadata

         notBefore=Nov 24 04:27:20 2015 GMT

         notAfter=Dec  9 04:27:20 2035 GMT

         SHA1 Fingerprint=E2:FC:CC:CB:0E:0F:3B:32:FA:55:87:29:08:DE:E0:34:DA:A2:15:5A

Step 3: Verify everything is working

Restart your SP and ensure it starts.

Check log files to verify that are no issues highlighted with the configuration changes.

Verify that the new AAF Federation Metadata has been successfully downloaded. Open the downloaded Metadata file and verify that the first line contains the following:

        Test Environment - Name=

        Production Environment - Name=

Attempt to login to your SP using a known working IdP.

Your migration to the new AAF Federation Metadata is now complete.

SimpleSAMLphp and other SAML SPs

If you are running another Service Provider software stack you will need to consult the your specific documentation on configuring federation metadata.

Details on where to load the metadata from and the signing certificate are available at;

    Test Environment -

    Production Environment - https:/

If you have any issues or questions about the upgrade, please email us at 

Have more questions? Submit a request