Skip to main content

Migrate to InCommon Metadata Distribution Query Shibboleth IdP

shibboleth_max_logo-1InCommon is a widely used single sign-on federation in Higher Education. It has recently created the Metadata Distribution Query service and protocol (MDQ). The benefits of this new service are numerous. At Unicon, we’ve seen clients experience half the memory usage in popular open source single sign-on applications such as Shibboleth Identity Provider and Apereo CAS server after switching. 

On Monday, March 1st, 2021, InCommon will change the url for the InCommon aggregate file. As a result, the current configuration that downloads the file from a remote url and checks the signature won’t work without a change. While you can continue to use the url download functionality for up to 5 more years, we recommend switching to the InCommon MDQ service. For more information please see: https://spaces.at.internet2.edu/display/MDQ/migrate-to-mdq.

In this article we’ll cover switching your Shibboleth IdP server to use the InCommon MDQ service.

Configuration of InCommon Metadata Distribution Query in Shibboleth IdP

First, you’ll need to navigate to InCommon’s website and download the metadata signature for MDQ in production. As of this article’s writing, it’s available here: https://spaces.at.internet2.edu/display/MDQ/production+metadata+signing+key. Once you have that certificate, you are ready to configure the Shibboleth Identity Provider.

Navigate to your Identity Provider’s home, colloquially known as IDP_HOME, and navigate to the conf` folder. Find the metadata-providers.xml, which should contain a reference to the current InCommon federation. Note that on some newer setups you may have it in a different place, but the configuration will be the same. Once you find the current InCommon configuration, feel free to comment it out or remove it.

Next, you need to create a new configuration block. In the new  block, you primarily need to specify the type as “MDQ”, a new url to point to the MDQ service “https://mdq.incommon.org/”, and ensure that you provide the proper signature certificate for the MDQ production service. Once complete it should look similar to the example below.

<!-- InCommon Per-Entity Metadata Distribution Service -->
<MetadataProvider type="MDQ" id="incommon" ignoreTransport="true" cacheDirectory="inc-mdq-cache"
  maxCacheDuration="86400" minCacheDuration="60"
  baseUrl="https://mdq.incommon.org/">
  <MetadataFilter type="Signature" certificate="inc-md-cert-mdq.pem"/>
  <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
</MetadataProvider>

Finally, after making this change, either reload the metadata service or restart your IDP and test an InCommon service.

Thanks for reading and I hope this proves useful to you. If you have any questions or additional needs reach out to Unicon! We’re happy to help and provide a full set of services and support around Shibboleth IdP.

New call-to-action

Paul Spaude

Paul Spaude

Senior Software Engineer
Paul Spaude is a Senior Software Engineer and Identity and Access Management (IAM) Consultant for Unicon Inc., a leading provider of IT consulting, services, and support for education technology. Mr. Spaude has extensive experience in creating, designing, and improving software solutions and services with an emphasis on IAM web development and systems integration. He has deployed and supported web Single Sign on systems such as Shibboleth IdP and SP, Apereo CAS server, ADFS, and Azure AD SSO. He’s also deployed Group Management systems such as Internet2’s Grouper, and Identity Management systems such as midPoint and Okta.