...
- id - provides a unique, amongst metadata providers, identifier that may be used to reference the provider
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example File Backed HTTP Metadata Provider Configuration | xml |
---|
|
<!-- RelyingParty elements above this point -->
<MetadataProvider xsi:type="ChainingMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
id="MyMetadata">
<MetadataProvider xsi:type="FilesystemMetadataProvider"
id="InternalMetadata"
metadataFile="/path/to/my/metadata-internal.xml" />
<MetadataProvider xsi:type="FileBackedHTTPMetadataProvider"
id="External Metadata"
metadataURL="http://example.org/metadata.xml"
backingFile="/tmp/idp-metadata.xml" />
</MetadataProvider>
|
...
Note |
---|
Setting the min and max refresh delay to the same value is a nonsensical configuration. Don't do it. |
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example Filesystem Metadata Provider Configuration | xml |
---|
|
<!-- RelyingParty elements above this point -->
<MetadataProvider xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
id="MyMetadata"
metadataFile="/path/to/my/metadata.xml" />
|
...
Note |
---|
Setting the min and max refresh delay to the same value is a nonsensical configuration. Don't do it. |
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example File Backed HTTP Metadata Provider Configurationxml |
---|
|
<!-- RelyingParty elements above this point -->
<MetadataProvider xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
id="MyMetadata"
metadataURL="http://example.org/metadata.xml"
backingFile="/tmp/idp-metadata.xml" />
|
...
Note |
---|
Setting the min and max refresh delay to the same value is a nonsensical configuration. Don't do it. |
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example HTTP Metadata Provider Configurationxml |
---|
|
<!-- RelyingParty elements above this point -->
<MetadataProvider xsi:type="HTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
id="MyMetadata"
metadataURL="http://example.org/metadata.xml" />
|
...
The content of the <MetadataProvider>
element is then either a SAML 2 metadata <EntitiesDescriptor>
or <EntityDescriptor>
element.
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example Inline Metadata Provider Configurationxml |
---|
|
<!-- RelyingParty elements above this point -->
<MetadataProvider xsi:type="InlineMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
id="MyInlineMetadata">
<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<!-- Rest of SAML 2 metadata -->
</EntitiesDescriptor>
</MetadataProvider>
|
...
The content of the MetadataFilter
element is other MetadataFilter
elements.
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example Chaining Metadata Filter | xml |
---|
|
<MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
<MetadataFilter xsi:type="SignatureValidation" trustEngineRef="shibboleth.SignatureTrustEngine" />
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataFilter>
|
...
This filter is defined by the element <MetadataFilter xsi:type="SchemaValidation" xmlns="urn:mace:shibboleth:2.0:metadata">
. It may contain any number of <ExtensionSchema>
elements whose content is the classpath location for additional XML Schema files to use during validation.
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example Schema Validation Filter | xml |
---|
|
<MetadataFilter xsi:type="SchemaValidation" xmlns="urn:mace:shibboleth:2.0:metadata">
<ExtensionSchema>/schema/foo.xsd</ExtensionSchema>
</MetadataFilter>
|
...
- maxValidityInterval - the interval, in seconds, from now within which the validUntil date must fall. A value of zero indicates no upper limit. Default value: 0
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example Required validUntil Filterxml |
---|
|
<MetadataFilter xsi:type="RequiredValidUntil" xmlns="urn:mace:shibboleth:2.0:metadata"
maxValidityInterval="604800" />
|
...
- requireSignedMetadata - a boolean flag that requires that incoming metadata be signed (default value: false)
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example Signature Validation Filterxml |
---|
|
<MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
trustEngineRef="shibboleth.MetadataTrustEngine"
requireSignedMetadata="true" />
|
...
Regardless of the values of the two optional attributes the root element of a metadata document is never removed, even if after filtering it is basically empty.
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example Entity Role WhiteList Filterxml |
---|
|
<MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
<RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
</MetadataFilter>
|
...