IAMUCLA
Child pages
  • IdP13CertificateChange
Skip to end of metadata
Go to start of metadata

Certificae change on Shibboleth "test" IdP service at shb1.ais.ucla.edu

We have renewed the SSL certificate on our "test" Shibboleth IdP service. If you are using a commercial certificate you need to make this configuration change (follow the steps below). If you are using testshib.org issued certificate there should be no impact. If you are unsure which certificate you are using contact IAMUCLA

This change largely affects SP v1.3. If you are using v2.0 or above you should be generally ok.
This change affects "test" system only. Production system will not be impacted.

1. Create a new metadata file shb1-metadata.xml. Insert this code in the metadata file

<?xml version="1.0" encoding="UTF-8"?>
<md:EntitiesDescriptor Name="urn:mace:shibboleth:testshib"
    validUntil="2011-01-01T00:00:00.000Z"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<md:EntityDescriptor
        entityID="https://shb1.ais.ucla.edu" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
        <md:IDPSSODescriptor
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol 
urn:mace:shibboleth:1.0" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
            <md:Extensions>
                <saml1md:Scope xmlns:saml1md="urn:mace:shibboleth:metadata:1.0">ucla.edu</saml1md:Scope>
            </md:Extensions>
            <md:KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
MIIElTCCA32gAwIBAgILAQAAAAABIK/hvugwDQYJKoZIhvcNAQEFBQAwajEjMCEG
A1UECxMaT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0ExEzARBgNVBAoTCkdsb2Jh
bFNpZ24xLjAsBgNVBAMTJUdsb2JhbFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRp
b24gQ0EwHhcNMDkwNDE2MTYxNTQ5WhcNMTAwNDE3MTYxNTQ2WjCBsTELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC0xvcyBBbmdlbGVz
MSswKQYDVQQLEyJBZG1pbmlzdHJhdGl2ZSBJbmZvcm1hdGlvbiBTeXN0ZW1zMS4w
LAYDVQQKEyVVbml2ZXJzaXR5IG9mIENhbGlmb3JuaWEsIExvcyBBbmdlbGVzMRow
GAYDVQQDExFzaGIxLmFpcy51Y2xhLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA9mNJ7Ig8bnqywxDIBGjjoLrJR/YZeKqTf0al+o09LZyTfuyP1gHwQ8EL
cM8W9+gTMMTPqvVvpy3x5S0lYlBf+Hat/5D7IV2asS4iayWF2xtfJ2kO13EvIMmJ
KuKr0qmFDxo7YrIAaVk1gXHzM4JJspvRu0+hSfkSnUxfdmAuSckCAwEAAaOCAXYw
ggFyMB8GA1UdIwQYMBaAFH1tKuxmq6dRNqsCafFwj8RZC5ofMEkGCCsGAQUFBwEB
BD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLm5ldC9j
YWNlcnQvb3JndjEuY3J0MD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwuZ2xv
YmFsc2lnbi5uZXQvT3JnYW5pemF0aW9uVmFsMS5jcmwwHQYDVR0OBBYEFM7ENXXv
2hCaS9wuLKdMpxrFGWNeMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCkGA1Ud
JQQiMCAGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAzBLBgNVHSAERDBC
MEAGCSsGAQQBoDIBFDAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdsb2JhbHNp
Z24ubmV0L3JlcG9zaXRvcnkvMBEGCWCGSAGG+EIBAQQEAwIGwDANBgkqhkiG9w0B
AQUFAAOCAQEAMH/bDiCMhtyvD40yhx35PdbDLnsf4YXRtDz3wmSdknZD1ytTvNmP
1K/AOUrzBXh+rn6AWHdoPiAtK3+gn1l3P7rpQ3UWsPoMLwQ7EYXl0OAIqy2dev+1
J6pxjStKF5Smrzwu8nHChqxR0fd4gACSFYb/4TvAM6rb3dh3iK/zXjscs24dGuZk
6KaZd1F6PCI4KQiy5jkXRg/ur8O0E0hxHoDrlj8ap6VhA0Iv1V36fZdtHX6AHaAl
C3qjVykwVH0cKqNlmP+Q/VPtfyUy4HC0jkmLUeMUmnESOYoTYdjk1VgkAlfnwh9q
ZlZ6TnUjK1OpfC3dbZ8nSrVNvcTh1LeYcg==
</ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </md:KeyDescriptor>
            <md:ArtifactResolutionService
                Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
                Location="https://shb1.ais.ucla.edu:8443/shibboleth-idp/Artifact" index="0"/>
            <md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
            <md:SingleSignOnService
                Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://shb1.ais.ucla.edu/shibboleth-idp/SSO"/>
        </md:IDPSSODescriptor>
        <md:AttributeAuthorityDescriptor
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
            <md:Extensions>
                <saml1md:Scope xmlns:saml1md="urn:mace:shibboleth:metadata:1.0">ucla.edu</saml1md:Scope>
            </md:Extensions>
            <md:KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
MIIElTCCA32gAwIBAgILAQAAAAABIK/hvugwDQYJKoZIhvcNAQEFBQAwajEjMCEG
A1UECxMaT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0ExEzARBgNVBAoTCkdsb2Jh
bFNpZ24xLjAsBgNVBAMTJUdsb2JhbFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRp
b24gQ0EwHhcNMDkwNDE2MTYxNTQ5WhcNMTAwNDE3MTYxNTQ2WjCBsTELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC0xvcyBBbmdlbGVz
MSswKQYDVQQLEyJBZG1pbmlzdHJhdGl2ZSBJbmZvcm1hdGlvbiBTeXN0ZW1zMS4w
LAYDVQQKEyVVbml2ZXJzaXR5IG9mIENhbGlmb3JuaWEsIExvcyBBbmdlbGVzMRow
GAYDVQQDExFzaGIxLmFpcy51Y2xhLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA9mNJ7Ig8bnqywxDIBGjjoLrJR/YZeKqTf0al+o09LZyTfuyP1gHwQ8EL
cM8W9+gTMMTPqvVvpy3x5S0lYlBf+Hat/5D7IV2asS4iayWF2xtfJ2kO13EvIMmJ
KuKr0qmFDxo7YrIAaVk1gXHzM4JJspvRu0+hSfkSnUxfdmAuSckCAwEAAaOCAXYw
ggFyMB8GA1UdIwQYMBaAFH1tKuxmq6dRNqsCafFwj8RZC5ofMEkGCCsGAQUFBwEB
BD0wOzA5BggrBgEFBQcwAoYtaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLm5ldC9j
YWNlcnQvb3JndjEuY3J0MD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwuZ2xv
YmFsc2lnbi5uZXQvT3JnYW5pemF0aW9uVmFsMS5jcmwwHQYDVR0OBBYEFM7ENXXv
2hCaS9wuLKdMpxrFGWNeMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCkGA1Ud
JQQiMCAGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAzBLBgNVHSAERDBC
MEAGCSsGAQQBoDIBFDAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdsb2JhbHNp
Z24ubmV0L3JlcG9zaXRvcnkvMBEGCWCGSAGG+EIBAQQEAwIGwDANBgkqhkiG9w0B
AQUFAAOCAQEAMH/bDiCMhtyvD40yhx35PdbDLnsf4YXRtDz3wmSdknZD1ytTvNmP
1K/AOUrzBXh+rn6AWHdoPiAtK3+gn1l3P7rpQ3UWsPoMLwQ7EYXl0OAIqy2dev+1
J6pxjStKF5Smrzwu8nHChqxR0fd4gACSFYb/4TvAM6rb3dh3iK/zXjscs24dGuZk
6KaZd1F6PCI4KQiy5jkXRg/ur8O0E0hxHoDrlj8ap6VhA0Iv1V36fZdtHX6AHaAl
C3qjVykwVH0cKqNlmP+Q/VPtfyUy4HC0jkmLUeMUmnESOYoTYdjk1VgkAlfnwh9q
ZlZ6TnUjK1OpfC3dbZ8nSrVNvcTh1LeYcg==
</ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </md:KeyDescriptor>
            <md:AttributeService
                Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://shb1.ais.ucla.edu:8443/shibboleth-idp/AA"/>
            <md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
        </md:AttributeAuthorityDescriptor>
        <md:Organization xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
            <md:OrganizationName xml:lang="en">UCLA</md:OrganizationName>
            <md:OrganizationDisplayName xml:lang="en">UCLA</md:OrganizationDisplayName>
            <md:OrganizationURL xml:lang="en">https://ucla.edu/</md:OrganizationURL>
        </md:Organization>
        <md:ContactPerson contactType="technical" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
            <md:GivenName>Datta </md:GivenName>
            <md:SurName>Mahabalagiri</md:SurName>
            <md:EmailAddress>datta1@openidp.org</md:EmailAddress>
        </md:ContactPerson>
    </md:EntityDescriptor>

</md:EntitiesDescriptor>

2. shibboleth.xml
Point to the new metadata file in <MetadataProvider> section. This is the only metadata file you need in test.

<MetadataProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata"
	uri="shb1-metadata.xml"/>

Code the uri to the exact location of the metadata in the file system.

3. Restart shibd service. Make sure there is no WARN, ERROR or FATAL messages in logs. DEBUG and INFO messages are ok.

4. Access protected resource and verify

  • No labels