Prior to 2025 we advised using Internal.ncl.ac.uk as a MetadataProvider in the Shibboleth2.xml configuration file.

With enhancements to Shibboleth over time, we now advise you use an mdq URL to protect your Service provider in the event of Internal.ncl.ac.uk not being available.

To make the change to you Service provider please follow this guidance:

• Edit your Shibboelth2.xml file

Replace

<MetadataProvider type="XML" uri="https://internal.ncl.ac.uk/ukfederation-metadata.xml" backingFilePath="ukfederation-metadata.xml" reloadInterval="7200">

</MetadataProvider>

With

<MetadataProvider type="XML" url="http://mdq.ukfederation.org.uk/entities/https:%2F%2Fgateway.ncl.ac.uk%2Fidp%2Fshibboleth" backingFilePath="gateway.ncl.ac.uk.xml">

<MetadataFilter type="Signature" certificate="ukfederation-mdq.pem"/>

</MetadataProvider>

• Download the certificate to your server:

wget http://mdq.ukfederation.org.uk/ukfederation-mdq.pem -O /etc/shibboleth/ukfederation-mdq.pem

• Restart the shibd service

Service shibd restart

• Test your SP and check you log file at start up

tail -f /var/log/shibboleth/shibd.log