This article describes a semi-automatic process for managing untrusted SAML metadata using a Shibboleth LocalDynamicMetadataProvider
and a complementary set of command-line tools.
...
We start with a relatively simple example of remote metadata:
https://shibboleth.irbmanager.com/metadata.xml
A non-InCommon Shibboleth SP that consumes InCommon metadata
Last-Modified: Tue, 28 Jul 2015 13:32:54 GMT
Supports HTTP Conditional GET
See the relevant discussion thread on the mailing list
If you trust the SP owner to do the Right Thing, and the reliance on commercial TLS is not a concern, configure a Shibboleth FileBackedHTTPMetadataProvider to refresh the metadata at least daily:
...
Code Block | ||||
---|---|---|---|---|
| ||||
# Steps 5 and 6
# force a metadata refresh
$ $BIN_DIR/md_refresh.bash -F $md_location \
| $BIN_DIR/md_tee.bash $sourceDirectory \
> /dev/null |
...
Moreover, the NameIDFormat
elements in AWS metadata are bogus. The elements must be removed from metadata in order for the integration to be successful. Since AWS metadata includes a @validUntil
attribute, downloading a static copy of the metadata is not advisable, however.
https://signin.aws.amazon.com/static/saml-metadata.xml
Last-Modified
date unknownDoes not support HTTP Conditional GET (no
ETag
in response)Unauthorized URN-based entityID (
urn:amazon:webservices
)Includes
@validUntil
attribute (expires annually)No encryption certificate
NameIDFormat
is wrong (showstopper)Current
NameIDFormat
values in metadata:urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Login apparently works fine when these two
NameIDFormat
values are removed from metadataThis might work:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Role-based attribute release is tricky (see the AWS documentation and search the Shibboleth archives for details)
See relevant discussion thread on the mailing list
As in the previous example, initialize both the cache and the source directory, but this time filter the NameIDFormat
elements from the metadata before copying to the source directory:
Code Block | ||||
---|---|---|---|---|
| ||||
# Steps 1 and 2 $ md_location=https://signin.aws.amazon.com/static/saml-metadata.xml # log a warning if the metadata will expire within 5 days $ $BIN_DIR/md_refresh.bash $md_location \ | $BIN_DIR/md_require_valid_metadata.bash -LE P5D \ | /usr/bin/xsltproc $LIB_DIR/remove_NameIDFormat.xsl - \ | $BIN_DIR/md_tee.bash $sourceDirectory \ > /dev/null |
...
Code Block | ||||
---|---|---|---|---|
| ||||
# Steps 5 and 6 # force a metadata refresh $ $BIN_DIR/md_refresh.bash -F $md_location \ | $BIN_DIR/md_require_valid_metadata.bash -LE P5D \ | /usr/bin/xsltproc $LIB_DIR/remove_NameIDFormat.xsl - \ | $BIN_DIR/md_tee.bash $sourceDirectory \ > /dev/null |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
#!/bin/bash # environment variables # (also export TMPDIR if it doesn’t already exist) export BIN_DIR=/tmp/bin export LIB_DIR=/tmp/lib export CACHE_DIR=/tmp/http_cache export LOG_FILE=/tmp/bash_log.txt # the name of this script script_name=${0##*/} # specify the source directory sourceDirectory=/path/to/source/dir # remove expired metadata from the source directory # log alsoa checkwarning forif metadataa setdocument towill expire within two weeks $BIN_DIR/md_sweep.bash -LE P2W $sourceDirectory >&2 status_code=$? if [ $status_code -ne 0 ]; then echo "ERROR: $script_name: md_sweep.bash failed ($status_code) on source directory: $sourceDirectory" >&2 fi exit $status_code |
...