Changing the Certificate to Validate the Signature of the RWTH Single Sign-On
The certificate for signing RWTH Single Sign-On metadata is changed at regular intervals. You can find out whether a change is due by checking for status messages: https://maintenance.itc.rwth-aachen.de/ticket/status/messages/13-rwth-single-sign-on.
The following steps must be observed during the change:
- If you are using the Shibboleth service provider, check the /etc/shibboleth/shibboleth2.xml (Linux) or C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml (Windows standard) file to see whether you are validating metadata. This is strongly recommended! You can recognize whether validation is taking place by looking for the following XML Tag:
- Note the path which is displayed behind "certificate=".
- Now save the certificate from https://sso.rwth-aachen.de/metadata/sso.pem in /etc/shibboleth/sso.pem (or the path which you noted down)
- The change is now complete.