Date: Thu, 28 Mar 2024 09:51:39 +0000 (UTC) Message-ID: <945309046.35.1711619499783@6c01df74b7b4> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_34_762320860.1711619499783" ------=_Part_34_762320860.1711619499783 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The MetadataGen plugin provides a command line to generate metadata base= d on a very shallow introspection of the IdP configuration properties.
Metadata generation can never be an automatic process. = Metadata is a description of how you want your IdP to be viewed by othe= rs. This is significantly more than anything which can be created aut= omatically. Nonetheless, much of the metadata is formulaic sinc= e things such as endpoints are usually standardized. The metadatagen = command provides assistance in generating much of the standardized boilerpl= ate.
The metadatagen command provides an basis for generator the metadata for= your IdP. It does extremely limited introspection into the config= uration and outputs metadata for the standard end points. This saves time a= nd reduces the risk of cut and paste errors being introduced into your meta= data.
This tools does not output "ready to use" metadata and = is a preliminary, NOT an alternative, to editing= your metadata prior to publishing it.
Starting with IdP 4.2 you can the install the latest plugin version supp=
orted on your IdP version with.\plugin.sh -I
net.shibbolet=
h.idp.plugin.metadatagen
Plugin |
Plugin ID |
Module(s) |
Latest Version |
Bug Reporting |
---|---|---|---|---|
Metadatagen |
net.shibboleth.idp.plugin.meta= datagen |
idp.metadatagen |
1.0.0: down= load |
For a detailed guide on how to install plugins, see here.
In summary, use the plugin
command that ships with the IdP =
to install the plugin from either a local file pre-downloaded, from a URL o=
r by pluginId 4.2
C:>\opt\shibboleth-idp\bin\plugin.bat -I net.shibboleth.idp.plu=
gin.oidc.whatever
or
$ /opt/shibboleth-idp/bin/plugin.sh -i http://shibboleth.net/downl=
oads/identity-provider/plugins/pluginName/version/URL
or
$ /opt/shibboleth-idp/bin/plugin.sh -i <plugin.tar.gz>
If installing from a local file, you need to ensure the GPG detached sig= nature (e.g. the .asc file) is placed alongside the main plugin archive on = disk.
$ /opt/shibboleth-idp/bin/plugin.sh -l
or
C:>\opt\shibboleth-idp\bin\plugin.bat -l
The generated metadata is based on an idea of the IdP's configuration so= urced from two locations: configuration property files and the comman= d line. Importantly, this tool does not consider anything ab= out the relying party configuration.=
The property files provide the following information:
The entityID (from idp.entityID
)
The scope (from idp.scope
)
The encryption certificate (from idp.encryption.cert)
<=
/p>
The signing certificate used for attribute push (from idp.sig=
ning.cert)
The command line is usually used to provide information to do with the w= eb container (i.e. Jetty or Tomcat) configuration:
--DNSName
specifies the DNS name (with a default of id=
p.example.org)
If present, --backChannel <file>
provides =
the signing certificate use for back channel tasks.
An additional property file can be used to specify the DNS name an backc= hannel path, additionally properties can be used to drive MDUI generation.&= nbsp; This is described further below.
With no command line options the tool prints to the screen the Metadata = for a SAML2 IdP configured for attribute push only. Further options c= ontrol adding or removing parts of the metadata
Qualifier |
Function |
---|---|
--DNSName name |
Supplies the DNS name used within the URLs specifying the end points = |
--output <file>, -o <file> |
Outputs the metadata to a file |
--backChannel <file> |
Specifies the path to the certificate protecting the back channel.<= br> This is required to emit any SOAP end points (artifact, logout and attribut= e fetch). |
+SAML1, +1 |
Include metadata for a SAML1 IdP. SAML1 attribute fetch endpoints =
will be included, regardless of whether |
-SAML2, -2 |
Supress the metadata for a SAML2 IdP |
+SAMLSP, +SP |
Include metadata for a SAML2 SP (for use in proxying) |
+logout |
Include SAML2 logout endpoints. |
+artifact |
Include the artifact resolution endpoints (requires |
+attributeFetch |
Include the SAML2 attribute fetch endpoints (requires |
--propertyFiles <file>,<file>... |
Additional property files. |
The full set of options can be viewed with the --help
optio=
n.
The parts of the metadata drawn from the IdP configuration are derived f=
rom the IdP configuration property files. Additional properties can be=
provided (via the --propertyFiles
qualifier) to de=
scribe more about the IdP
Remember that if idp.searchForProperties
is set to true all=
property files under idp/conf
will be loaded.
Property |
Description |
---|---|
idp.metadata.dnsname |
Supplies the DNS name used within the URLs specifying the end point=
s. |
idp.metadata.backchannel.cert |
Specifies the path to the certificate protecting the back channel.<=
br>
This should not be used in conjunction with the |
idp.metadata.idpsso.mdui.logo.path |
Specifies the path part of the URL which describes a logo for the IdP.&n=
bsp; The <mdui:Logo> is always emitted.&nbs= p; If this is absent then then a fixed path ('/path/to/logo') is used. <= /td> |
idp.metadata.idpsso.mdui.logo.height |
The height (in pixels) of the logo. Defaults to 80. |
idp.metadata.idpsso.mdui.logo.width |
The width (in pixels) of the logo. Defaults to 80. |
idp.metadata.idpsso.mdui.langs |
A (space separated) list of languages used to lookup values formed appen= ding each one to the name and description properties described below. If this is absent then an <mdui:DisplayName/> and <mdui:De= scription> for the "en" language is emitted which you need to edit. <= /td> |
idp.metadata.idpsso.mdui.displayname.<lang> |
Display name for the IdP in the specified language. If this is absent for a language specified above then not <mdui:Displ= ayName> is emitted for that language |
idp.metadata.idpsso.mdui.description.<lang> |
Description for the IdP in the specified language. If this is absent for a language specified above then not <mdui:Descr= iption> is emitted for that language |
metadat= agen +saml1 +sp --backChannel /opt/idp/credentials/idp-backchannel.crt --ou= tput myMetadata.xml
idp.met= adata.dnsname=3Dushib.example.org idp.metadata.backchannel.cert=3D/opt/idp/credentials/idp-backchannel.crt idp.metadata.idpsso.mdui.langs=3Den fr de idp.metadata.idpsso.mdui.displayname.fr=3DUniversit=C3=A9 de Shibboleth idp.metadata.idpsso.mdui.displayname.en=3DShibboleth University idp.metadata.idpsso.mdui.displayname.de=3DUniversit=C3=A4t Shibboleth idp.metadata.idpsso.mdui.description.fr=3DUShib idp.metadata.idpsso.mdui.description.de=3DUShib idp.metadata.idpsso.mdui.description.en=3DUShib idp.metadata.idpsso.mdui.logo.height=3D84 idp.metadata.idpsso.mdui.logo.width=3D75 idp.metadata.idpsso.mdui.logo.path=3D/the/to/path/logo.png