This article describes a semi-automatic process for managing untrusted SAML metadata using a Shibboleth LocalDynamicMetadataProvider
and a complementary set of command-line tools.
...
We start with a relatively simple example of remote metadata:
https://shibboleth.irbmanager.com/metadata.xml
A non-InCommon Shibboleth SP that consumes InCommon metadata
Last-Modified: Tue, 28 Jul 2015 13:32:54 GMT
Supports HTTP Conditional GET
See the relevant discussion thread on the mailing list
If you trust the SP owner to do the Right Thing, and the reliance on commercial TLS is not a concern, configure a Shibboleth FileBackedHTTPMetadataProvider to refresh the metadata at least daily:
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
#!/bin/bash
# environment variables
# (also export TMPDIR if it doesn’t already exist)
export BIN_DIR=/tmp/bin
export LIB_DIR=/tmp/lib
export CACHE_DIR=/tmp/http_cache
export LOG_FILE=/tmp/bash_log.txt
# the name of this script
script_name=${0##*/}
# specify the HTTP resource
location=https://shibboleth.irbmanager.com/metadata.xml
# check the cache against the server
$BIN_DIR/http_cache_check.bash $location >&2
status_code=$?
if [ $status_code -eq 1 ]; then
echo "WARN: $script_name: cache is NOT up-to-date for resource: $location" >&2
elif [ $status_code -gt 1 ]; then
echo "ERROR: $script_name: http_cache_check.bash failed ($status_code) on location: $location" >&2
fi
exit $status_code |
...
Moreover, the NameIDFormat
elements in AWS metadata are bogus. The elements must be removed from metadata in order for the integration to be successful. Since AWS metadata includes a @validUntil
attribute, downloading a static copy of the metadata is not advisable, however.
https://signin.aws.amazon.com/static/saml-metadata.xml
Last-Modified
date unknownDoes not support HTTP Conditional GET (no
ETag
in response)Unauthorized URN-based entityID (
urn:amazon:webservices
)Includes
@validUntil
attribute (expires annually)No encryption certificate
NameIDFormat
is wrong (showstopper)Current
NameIDFormat
values in metadata:urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Login apparently works fine when these two
NameIDFormat
values are removed from metadataThis might work:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Role-based attribute release is tricky (see the AWS documentation and search the Shibboleth archives for details)
See relevant discussion thread on the mailing list
As in the previous example, initialize both the cache and the source directory, but this time filter the NameIDFormat
elements from the metadata before copying to the source directory:
Code Block | ||||
---|---|---|---|---|
| ||||
# Steps 1 and 2 $ md_location=https://signin.aws.amazon.com/static/saml-metadata.xml $ $BIN_DIR/md_refresh.bash $md_location \ | $BIN_DIR/md_require_valid_metadata.bash -L P5D \ | /usr/bin/xsltproc $LIB_DIR/remove_NameIDFormat.xsl - \ | $BIN_DIR/md_tee.bash $sourceDirectory \ > /dev/null |
...
Code Block | ||||
---|---|---|---|---|
| ||||
# Steps 5 and 6 $ $BIN_DIR/md_refresh.bash -F $md_location \ | $BIN_DIR/md_require_valid_metadata.bash -L P5D \ | /usr/bin/xsltproc $LIB_DIR/remove_NameIDFormat.xsl - \ | $BIN_DIR/md_tee.bash $sourceDirectory \ > /dev/null |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
#!/bin/bash
# environment variables
# (also export TMPDIR if it doesn’t already exist)
export BIN_DIR=/tmp/bin
export LIB_DIR=/tmp/lib
export CACHE_DIR=/tmp/http_cache
export LOG_FILE=/tmp/bash_log.txt
# the name of this script
script_name=${0##*/}
# specify the HTTP resource
location=https://signin.aws.amazon.com/static/saml-metadata.xml
# quietly diff the cached file against the file on the server
$BIN_DIR/http_cache_diff.bash -Q $location >&2
status_code=$?
if [ $status_code -eq 1 ]; then
echo "WARN: $script_name: cache is NOT up-to-date for resource: $location" >&2
elif [ $status_code -gt 1 ]; then
echo "ERROR: $script_name: http_cache_diff.bash failed ($status_code) on location: $location" >&2
fi
exit $status_code |
...