...
The main component of the implementation is a specific metadata filter (md_require_timestamps.bash
) written in bash. The filter ensures that all of the following conditions are true:
...
In other words, the filter is a superset of the Shibboleth RequiredValidUntil metadata filter. Like the RequiredValidUntil
filter, the bash filter rejects metadata that never expires or for which the validity interval is too long (both of which undermine the usual trust model). In addition, the filter ensures that the metadata is associated with a @creationInstant
attribute. This important feature allows the filter to warn if the metadata is stale, long before the metadata expires.
As a side effect, the filter persists the values of the @creationInstant
and @validUntil
attributes to a log file. It then converts a portion of the log file to JSON. Here is the simplest example of a JSON array with one element:
JSON output of the metadata filter
Expand | |||||
---|---|---|---|---|---|
| |||||
|
The data in the JSON file are sufficient to construct a time-series plot. For example:
...
Now let’s modify the above command slightly so that the values of the @creationInstant
and @validUntil
attributes are persisted to a log file. For illustration, we’ll configure a log file in the /tmp
directory:
Define a persistent log file
...
At last we are ready to convert (a portion of) the log file to JSON format. Typically the JSON file will be written to a web directory, but for illustration purposes, let’s write the output in the /tmp
directory:
Locate an output file
...
By default, the JSON array will have 10 elements. To specify some other array size, add option -n
to the metadata filter:
Adjust the size of the JSON array
...