Shibboleth SPs (All versions)
The following steps need to be performed on both the Test and Production version of your service.
- Change the location which you use to download the metadata.
- Load the new Metadata Signing certificate.
- Verify everything is working.
Step 1: Change the location which you use to download the metadata
Edit the file shibboleth2.xml
Search for MetadataProvider. Within there will be a uri that will contain a URL to the metadata file you are currently downloading, something similar to "https://ds.[test].aaf.edu.au/distribution/metadata".
Replace this URL with;
AAF Test environment use:
https://md.test.aaf.edu.au/aaf-test-metadata.xml
AAF Production environment use:
https://md.aaf.edu.au/aaf-metadata.xml
Step 2: Load the new metadata Signing certificate
The new metadata needs to be verified after your SP downloads it. This ensures that it has not changed in transit across the Internet.
In this step you will be replacing the old metadata signing certificate with a new one. The location of the old metadata signing certificate will be found in the same MetadataProvider section of the shibboleth2.xml file, just look for the certificate element. This will tell you the name file of the signing certificate file. If only a file name is shown the the file will be in the same directory as the shibboleth2.xml file.
Download the new federation signing key. We are now using the same signing key for both the Test and Production federations. It is available at:
https://md.aaf.edu.au/aaf-metadata-certificate.pem
Use the downloaded file to replace the file you found above.
To confirm that you have obtained the correct key ensure the file you have downloaded conforms to the following:
$> openssl x509 -subject -dates -fingerprint -in aaf-metadata-certificate.pem
subject= /O=Australian Access Federation/CN=AAF Metadata
notBefore=Nov 24 04:27:20 2015 GMT
notAfter=Dec 9 04:27:20 2035 GMT
SHA1 Fingerprint=E2:FC:CC:CB:0E:0F:3B:32:FA:55:87:29:08:DE:E0:34:DA:A2:15:5A
Step 3: Verify everything is working
Restart your SP and ensure it starts.
Check log files to verify that are no issues highlighted with the configuration changes.
Verify that the new AAF Federation Metadata has been successfully downloaded. Open the downloaded Metadata file and verify that the first line contains the following:
Test Environment - Name=https://md.test.aaf.edu.au/aaf-test-metadata.xml
Production Environment - Name=https://md.aaf.edu.au/aaf-metadata.xml
Attempt to login to your SP using a known working IdP.
Your migration to the new AAF Federation Metadata is now complete.
SimpleSAMLphp and other SAML SPs
If you are running another Service Provider software stack you will need to consult the your specific documentation on configuring federation metadata.
Details on where to load the metadata from and the signing certificate are available at;
Test Environment - https://md.test.aaf.edu.au
Production Environment - https:/ms.aaf.edu.au
If you have any issues or questions about the upgrade, please email us at support@aaf.edu.au
Have more questions? Submit a request