HREF Key Rollover 2025 English
Introduction
The Hungarian Research and Educational Federation is migrating to a new metadata signing certificate (HREF-2025).
All HREF members and partners must update their IdP and SP configurations with the new signing certificate by June 14, 2025, in order to ensure uninterrupted access to federated services supporting eduID.hu. After this date, the old signing certificate (HREF-2020), which has been in use for more than 4 years, will be decommissioned, and 10 days after its last use, the old metadata will become invalid.
The tables below contain all necessary data for the transition. Where possible, configuration examples offer solutions that allow simultaneous use of both the old and new metadata.
Key Rollover
Code names
| Code name | Metadata signing certificate | Date of expiration |
|---|---|---|
| HREF-2011 | [https://metadata.eduid.hu/certs/href-metadata-signer-2011.crt href-metadata-signer-2011.crt] | 2022.01.01. |
| HREF-2015 | [https://metadata.eduid.hu/certs/mdx-test-signer-2020.crt mdx-test-signer-2015.crt] | 2022.01.01. |
| HREF-2020 | [https://metadata.eduid.hu/certs/href-metadata-signer-2020.crt href-metadata-signer-2020.crt] | 2025.06.14. |
| HREF-2025 | [https://metadata.eduid.hu/certs/href-metadata-signer-2025.crt href-metadata-signer-2025.crt] | 2030.06.14. |
SHA1 fingerprints
| Code name | SHA1 fingerprint |
|---|---|
| HREF-2011 | FE:AE:0B:E8:FB:59:ED:F7:CB:7F:69:DF:19:4F:8B:6D:C7:F6:96:66 |
| HREF-2015 | 91:81:AD:2B:F1:C1:4E:47:93:A2:9D:49:34:B7:77:62:4F:2F:98:43 |
| HREF-2020 | C3:72:DC:75:4C:FA:BA:65:63:52:D9:6B:47:5B:44:7E:AA:F6:45:61 |
| HREF-2025 | 45:B2:33:96:7C:4F:7E:42:86:8D:CC:CF:CC:0E:3E:1C:2E:24:C2:DE |
Domain names
| Domain | URL | Key | Status |
|---|---|---|---|
| metadata.eduid.hu | metadata.eduid.hu/2011/href.xml |
HREF-2011 | Prod |
metadata.eduid.hu/2020/href.xml |
HREF-2020 | Prod | |
metadata.eduid.hu/2025/href.xml |
HREF-2025 | Prod | |
| mdx.eduid.hu | mdx-2015.eduid.hu |
HREF-2015 | Prod |
mdx-2020.eduid.hu |
HREF-2020 | Prod | |
mdx-2025.eduid.hu |
HREF-2025 | Prod |
Discovery Service change
| URL |
|---|
| https://mdx-2020.eduid.hu/role/idp.ds |
| https://mdx-2025.eduid.hu/discovery/ds |
Shibboleth Service Provider beállítások
https://wiki.shibboleth.net/confluence/display/SP3/MetadataProvider
XML
https://wiki.shibboleth.net/confluence/display/SP3/XMLMetadataProvider
<MetadataProvider type="Chaining">
<MetadataProvider type="XML" id="href-2020" url="https://mdx-2020.eduid.hu" backingFilePath="href-2020.xml">
<MetadataFilter type="Signature" certificate="href-metadata-signer-2020.crt"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000"/>
</MetadataProvider>
<MetadataProvider type="XML" id="href-2025" url="https://mdx-2025.eduid.hu" backingFilePath="href-2025.xml">
<MetadataFilter type="Signature" certificate="href-metadata-signer-2025.crt"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000"/>
</MetadataProvider>
</MetadataProvider>
MDX
Shibboleth 3.X
https://wiki.shibboleth.net/confluence/display/SP3/MDQMetadataProvider
<MetadataProvider type="MDQ" id="href-2020" ignoreTransport="true" baseUrl="https://mdx-2020.eduid.hu/">
<MetadataFilter type="Signature" certificate="href-metadata-signer-2020.crt"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000"/>
</MetadataProvider>
<MetadataProvider type="MDQ" id="href-2025" ignoreTransport="true" baseUrl="https://mdx-2025.eduid.hu/">
<MetadataFilter type="Signature" certificate="href-metadata-signer-2025.crt"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="864000"/>
</MetadataProvider>
példa
apache + shibboleth 3.X - sed segítségével
sudo sed 's/mdx-2020.eduid.hu/mdx-2025.eduid.hu/g' /etc/shibboleth/shibboleth2.xml -i
sudo sed 's/href-2020/href-2025/g' /etc/shibboleth/shibboleth2.xml -i
sudo sed 's/href-metadata-signer-2020.crt/href-metadata-signer-2025.crt/g' /etc/shibboleth/shibboleth2.xml -i
sudo sed 's#https://mdx-202..eduid.hu/role/idp.ds#https://mdx-2025.eduid.hu/discovery/ds#g' /etc/shibboleth/shibboleth2.xml -i
sudo systemctl restart shibd.service apache2.service
Shibboleth 2.X
<MetadataProvider type="Dynamic" id="href-2020" ignoreTransport="true">
<Subst>https://mdx-2020.eduid.hu/entities/$entityID</Subst>
<MetadataFilter type="Signature" certificate="href-metadata-signer-2020.crt"/>
</MetadataProvider>
<MetadataProvider type="Dynamic" id="href-2025" ignoreTransport="true">
<Subst>https://mdx-2025.eduid.hu/entities/$entityID</Subst>
<MetadataFilter type="Signature" certificate="href-metadata-signer-2025.crt"/>
</MetadataProvider>
Shibboleth Identity Provider beállítások
XML
Shibboleth 4.X
https://wiki.shibboleth.net/confluence/display/IDP4/FileBackedHTTPMetadataProvider
<MetadataProvider id="RemoteMetadataAggregate" xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/href-2025.xml"
metadataURL="https://metadata.eduid.hu/2025/href.xml">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/conf/metadata/href-metadata-signer-2025.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P9D"/>
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
Shibboleth 3.X
https://wiki.shibboleth.net/confluence/display/IDP30/FileBackedHTTPMetadataProvider
<MetadataProvider id="RemoteMetadataAggregate" xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/href-2025.xml"
metadataURL="https://metadata.eduid.hu/2025/href.xml">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/conf/metadata/href-metadata-signer-2025.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P9D"/>
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>
MDX
Shibboleth 4.X
https://wiki.shibboleth.net/confluence/display/IDP4/DynamicHTTPMetadataProvider
<MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider"
connectionRequestTimeout="PT2S"
connectionTimeout="PT2S"
socketTimeout="PT4S">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/credentials/href-metadata-signer-2025.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P9D"/>
<MetadataQueryProtocol>https://mdx-2025.eduid.hu/</MetadataQueryProtocol>
</MetadataProvider>
Shibboleth 3.X
https://wiki.shibboleth.net/confluence/display/IDP30/DynamicHTTPMetadataProvider
<MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider"
connectionRequestTimeout="PT2S"
connectionTimeout="PT2S"
socketTimeout="PT4S">
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/credentials/href-metadata-signer-2025.crt"/>
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P9D"/>
<MetadataQueryProtocol>https://mdx-2025.eduid.hu/</MetadataQueryProtocol>
</MetadataProvider>
SimpleSAMLphp
MDX
//config/config.php
'metadata.sources' => [
['type' => 'flatfile'], // ez a *-hosted metadata konfiguráció betöltése miatt szükséges
[
'type' => 'mdq',
'server' => 'https://mdx-2025.eduid.hu',
/* --- */
'validateFingerprint' => '45:B2:33:96:7C:4F:7E:42:86:8D:CC:CF:CC:0E:3E:1C:2E:24:C2:DE'
],
],
metarefresh
https://simplesamlphp.org/docs/stable/simplesamlphp-maintenance#section_3
// config/config-metarefresh.php
$config = [
'sets' => [
'href-2020' => [
'cron' => ['hourly'],
'sources' => [
[
'src' => 'https://metadata.eduid.hu/2020/href.xml',
'validateFingerprint' => 'C3:72:DC:75:4C:FA:BA:65:63:52:D9:6B:47:5B:44:7E:AA:F6:45:61',
],
],
'expireAfter' => 777600, // 9 nap.
'outputDir' => 'metadata/metarefresh-href-2020/',
'outputFormat' => 'flatfile',
],
'href-2025' => [
'cron' => ['hourly'],
'sources' => [
[
'src' => 'https://metadata.eduid.hu/2025/href.xml',
'validateFingerprint' => '45:B2:33:96:7C:4F:7E:42:86:8D:CC:CF:CC:0E:3E:1C:2E:24:C2:DE',
],
],
'expireAfter' => 777600, // 9 nap.
'outputDir' => 'metadata/metarefresh-href-2025/',
'outputFormat' => 'flatfile',
],
],
];
// config/config.php
'metadata.sources' => [
['type' => 'flatfile'],
['type' => 'flatfile', 'directory' => 'metadata/metarefresh-href-2020'],
['type' => 'flatfile', 'directory' => 'metadata/metarefresh-href-2025'],
],
FAQ /GYIK
Bővítés alatt!
- Miért cserél KIFÜ kulcsot?
- IdP-t érinti?
- Mi a helyzet az eduGAIN-t használó IdP-kkel?
- Mi a helyzet az eduGAIN-t használó SP-kkel?
- Hogyan tudom ellenőrízni, hogy jó kulcsot használok?
No comments to display
No comments to display