Metadata


Trust relationship

The Metadata files of the Identity Provider and the Service Provider are the key to establish a trust relationship between the IdP (your side) and the SP (our side). These files contain all relevant certificates and public keys to validate the SAMLResponse (workflow), which is cryptographically signed + encrypted by each party.

There are several metadata schemas defined by different specifications or software, but Shibboleth is currently designed around the SAML 2.0 Metadata specification standardized by OASIS. Shibboleth also supports "profiles" of this specification for use with other identity protocols, including SAML 1.x and WS-Federation. The SAML 1.x profile has also been standardized by OASIS.


Service Provider (SP)

To access the service provider metadata file you simple need to call the URL:

Production

https://sp01.starmind.com/metadata/sp01-shibboleth-metadata.xml


Sandbox

https://sp02.starmind.com/metadata/sp02-shibboleth-metadata.xml


Identity Provider (IdP)

The IdP Server can generate the metadata file based on the configuration.

If you are running ADFS you simple need to call the URL:

https://[YOUR_ADFS_SERVER]/FederationMetadata/2007-06/FederationMetadata.xml

The Metadata-XML will look similar to our test installation:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_5197a745-3513-4b82-a809-92269b4dbb18" entityID="http://fs.customer.com/adfs/services/trust">
    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="encryption">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIC4DCCAcigAwIBAgIQNZ+oJqvBZodD1U8MHifaBTANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFBREZTIEVuY3J5cHRpb24gLSBmcy5jdXN0b21lci5jb20wHhcNMTQwNDE2MTAwMDU2WhcNMTUwNDE2MTAwMDU2WjAsMSowKAYDVQQDEyFBREZTIEVuY3J5cHRpb24gLSBmcy5jdXN0b21lci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYCL5jX+aEA6Haz/xtjZ4gExcfGdzgpB88Peps9MWRuwToMIoAW0LFBbeCS4aRs1YOwkVQXbUG12loQyuPTyl2w8cFkzlUsJySYXXi01DUeMvBhknArjMJvm7ecGnn3eUpzdSpdl6GDTrh8g0Ugx7zMYU4XbQHlb/Pt6XfCUj84fpCL2JjqJ1WliXTsXZ9Jm1D0e2LjHWJ20i/g3tYRnqaWu3MqDctyV7vzJhSGzKeJ5j9/tHyNcwPRVQAqvcPebkNHt3JMEoFpE15MXs62omhZnssWPeQC5e/jD9XZANxxcH4s7TEHXnxX1t0rnKpXSUrKEOHQ7aH0ebp54Z/pgX3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBADkEL1t7N0iODLx78rxDZQ4wVvzRVBWDEw9RgRl9SkxhK7lB7/EnrQE9UWILD94+PdXsR1hZOHzXFWH8X5x+uHe+X74ucrCahfUS3b0o3Fph7N5vfP6bqwSZGpD3VJEoJ7l9fPG911xxKBI5bqjCtFIkz93mv9Em+F1QHVd26R/GGZMx/5QqPiGfVmaE8SV90ZPR2Rf/dXyl/i08gSOocI0XwVd/zmYHRAiMv87he8bQVRjMiVW0kBn0xvMj/NAgmtGMQCZB8rfLWqmOva2KBCNUDj2oodIVn4U+boRI9h5VKu5ksVDVVB4iFJpOhrrTiI7aMdzoT4IZWP2toeEpEME=</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIC2jCCAcKgAwIBAgIQTVoO0oUPQIxB8YxAAdyGhDANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5BREZTIFNpZ25pbmcgLSBmcy5jdXN0b21lci5jb20wHhcNMTQwNDE2MTAwMDU1WhcNMTUwNDE2MTAwMDU1WjApMScwJQYDVQQDEx5BREZTIFNpZ25pbmcgLSBmcy5jdXN0b21lci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCW32QrYbY/eUGWVpBeuLCRHK6DAB53bYb13fZLk+d7xO9hcn//AFQz1X93k4m8AxuFFVu+l3qZkSzAse0VuEDANXjTw86VqHXHDALlWlTddZeYS8S+38ogpSIvwG+4y2FSzJyxpcUVFImttlkLriNrNi0TvR7NTB6UTPj+L8xgG6FHWUmHdVemplq7micyWuJds3Qm+1ZNyDu3DIwU2OQEJ3bvTEJCK+Ev6/uI+k0JJleadwwwx9bRnqf/tOjtf52rQ4wfBjOq+PeboHO73pYkBiQM4Of/ow5xflmiq0C2vOI8LPlV7Ke1Ar3Tkp2XNFTHWXBbQwuJ9gKrANkWp5vJAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAE//tVkGigrCIIeMXXN/iL6dIGHo5JuLf6LxkBiq9b50AFs492DIpxPwBhj80OFU1ju3MRcngX/ji2jlXdFKFCVSE8EtJnc+hfPVxHu7ofPW89J/s1ss/zY0ozFo14ZP/u0lTvUupcww4jmtQyMs7hMcl/EmBk0IdUA6tPpg9ltN6gEjkkDDcSROUbLPO2htSDQl8EcJrQKfs1dG3N5CUJRRswkT2fN/ZPv/ZSsWoHELINEULlCyXo7CA+6xKbM3VlpogXibytS+pEVSOSpRplSBoqmJb0dw4XlRGmeLWusxm3CYB9TyoX7y/qgO/m5q9p61lgmR99MYUgSjMUwUw9U=</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://fs.customer.com/adfs/ls/"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://fs.customer.com/adfs/ls/"/>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://fs.customer.com/adfs/ls/"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://fs.customer.com/adfs/ls/"/>
    </IDPSSODescriptor>
</EntityDescriptor>


Certificate

Chain of trust

The certificate hierarchy is a structure of certificates that allows individuals to verify the validity of a certificate's issuer. Certificates are issued and signed by certificates that reside higher in the certificate hierarchy. So the trustworthiness and validity of each layer is guaranteed by the one before, back to the trust anchor (root certificate). The SSL certificate of Starmind has the following chain of trust:
ChainOfTrustStarmind

Certificate Revocation

A CRL (Certificate Revocation Lists) is a list of certificate serial numbers that have been revoked by the CA. The client / server checks the serial number from the certificate against the serial numbers within the list. OSCP (Online Certificate Status Protocol) allows to to query the status of a single certificate. If a certificate has been revoked, and therefore, entities presenting those (revoked) certificates should no longer be trusted.

You can access the CRL & OSCP of Starmind here:

Service DNS Hostnames Destination IPs Ports
CRL crl.godaddy.com
certificates.godaddy.com
crl.starfieldtech.com
certificates.starfieldtech.com
72.167.18.237
72.167.18.238
72.167.239.237
72.167.239.238
188.121.36.237
188.121.36.238
182.50.136.237
182.50.136.238
50.63.243.228
50.63.243.229
tcp/80
OCSP ocsp.godaddy.com
ocsp.starfieldtech.com
72.167.18.239
72.167.239.239
188.121.36.239
182.50.136.239
50.63.243.230
tcp/80