Server maintenance between 8:00 a.m, to 5:00 p.m Saturday, December 02 , 2017, US/Eastern (EST). During the server maintenance time period, spaces.internet2.edu would be in READ Only Mode!!! If you have any questions or concerns please contact spaces-admin@internet2.edu.
Skip to end of metadata
Go to start of metadata

Dynamic Metadata Client Configuration

Shibboleth and simpleSAMLphp are the only known SAML implementations that support dynamic metadata query.

Contents

If you know of some other metadata query client, please share on the metadata-support mailing list.

Shibboleth IdP Configuration

The following DynamicHTTPMetadataProvider works with Shibboleth IdP 3.2 (or later):

Configure Shib IdP 3.0 (or later) for dynamic metadata query
<MetadataProvider 
    xmlns="urn:mace:shibboleth:2.0:metadata"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd"
    id="dynamicMDQ" xsi:type="DynamicHTTPMetadataProvider">

    <!-- Verify the signature on the root element (i.e., the EntityDescriptor element) -->
    <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
        certificateFile="${idp.home}/conf/metadata/mdq-beta-cert.pem" />

    <!--
      Require a validUntil XML attribute on the EntityDescriptor element
      and make sure its value is no more than 14 days into the future 
    -->
    <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" />

    <!-- This MetadataProvider conforms to the Metadata Query Protocol -->
    <MetadataQueryProtocol>http://mdq-beta.incommon.org/global</MetadataQueryProtocol>

</MetadataProvider>

If you find some other configuration that works better, please share your config details on the metadata-support mailing list.

Shibboleth SP Configuration

The following Dynamic MetadataProvider works with Shibboleth SP 2.4 (or later):

Configure Shib SP 2.4 (or later) for dynamic metadata query
<MetadataProvider type="Dynamic" ignoreTransport="true">

  <!-- Substitute an URL-encoded entityID into the request URL -->
  <Subst>http://mdq-beta.incommon.org/global/entities/$entityID</Subst>

  <!--
    Require a validUntil XML attribute on the EntityDescriptor element
    and make sure its value is no more than 14 days into the future 
  -->
  <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
 
  <!-- Verify the signature on the metadata file -->
  <MetadataFilter type="Signature" certificate="mdq-beta-cert.pem"/>
 
</MetadataProvider>

If your deployment exposes a dynamic discovery interface, the above metadata configuration is not sufficient. In that case, configure a Chaining MetadataProvider that falls back on an aggregate if necessary. The following configuration requires Shibboleth SP 2.4 (or later):

Configure Shib SP 2.4 (or later) with a chain of metadata providers
<!--
  A chaining MetadataProvider that tries dynamic metadata query first,
  and if that fails, the SP falls back on standard metadata refresh.
-->
<MetadataProvider type="Chaining">

  <!-- Dynamic Metadata Query -->
  <MetadataProvider type="Dynamic" ignoreTransport="true">

    <!-- Substitute an URL-encoded entityID into the request URL -->
    <Subst>http://mdq-beta.incommon.org/global/entities/$entityID</Subst>

    <!-- Check the expiration date -->
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
 
    <!-- Verify the XML signature -->
    <MetadataFilter type="Signature" certificate="mdq-beta-cert.pem"/>
 
  </MetadataProvider>

  <!-- Standard Metadata Refresh -->
  <MetadataProvider type="XML" 
      url="http://mdq-beta.incommon.org/global/entities"
      backingFilePath="BETA-InCommon-metadata.xml" maxRefreshDelay="3600">

    <!-- Verify the XML signature on the aggregate -->
    <MetadataFilter type="Signature" certificate="mdq-beta-cert.pem"/>

    <!-- Check the expiration date -->
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>

    <!-- Consume all IdP metadata in the aggregate -->
    <MetadataFilter type="EntityRoleWhiteList">
      <RetainedRole>md:IDPSSODescriptor</RetainedRole>
      <RetainedRole>md:AttributeAuthorityDescriptor</RetainedRole>
    </MetadataFilter>

  </MetadataProvider>

</MetadataProvider>

The above metadata configuration accommodates deployments that expose a dynamic discovery interface. To build the discovery interface, the SP falls back on aggregate metadata.

SimpleSAMLphp Configuration

TBD

  • No labels