This article describes a semi-automatic process for managing untrusted SAML metadata using a Shibboleth LocalDynamicMetadataProvider and a complementary set of command-line tools.
...
We start with a relatively simple example of remote metadata:
https://shibboleth.irbmanager.com/metadata.xml
A non-InCommon Shibboleth SP that consumes InCommon metadata
Last-Modified: Tue, 28 Jul 2015 13:32:54 GMTSupports HTTP Conditional GET
See the relevant discussion thread on the mailing list
If you trust the SP owner to do the Right Thing, and the reliance on commercial TLS is not a concern, configure a Shibboleth FileBackedHTTPMetadataProvider to refresh the metadata at least daily:
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
# Steps 5 and 6
# force a metadata refresh
$ $BIN_DIR/md_refresh.bash -F $md_location \
| $BIN_DIR/md_tee.bash $sourceDirectory \
> /dev/null |
...
Moreover, the NameIDFormat elements in AWS metadata are bogus. The elements must be removed from metadata in order for the integration to be successful. Since AWS metadata includes a @validUntil attribute, downloading a static copy of the metadata is not advisable, however.
https://signin.aws.amazon.com/static/saml-metadata.xml
Last-Modifieddate unknownDoes not support HTTP Conditional GET (no
ETagin response)Unauthorized URN-based entityID (
urn:amazon:webservices)Includes
@validUntilattribute (expires annually)No encryption certificate
NameIDFormatis wrong (showstopper)Current
NameIDFormatvalues in metadata:urn:oasis:names:tc:SAML:2.0:nameid-format:transienturn:oasis:names:tc:SAML:2.0:nameid-format:persistentLogin apparently works fine when these two
NameIDFormatvalues are removed from metadataThis might work:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressRole-based attribute release is tricky (see the AWS documentation and search the Shibboleth archives for details)
See relevant discussion thread on the mailing list
As in the previous example, initialize both the cache and the source directory, but this time filter the NameIDFormat elements from the metadata before copying to the source directory:
| Code Block | ||||
|---|---|---|---|---|
| ||||
# Steps 1 and 2 $ md_location=https://signin.aws.amazon.com/static/saml-metadata.xml # log a warning if the metadata will expire within 5 days $ $BIN_DIR/md_refresh.bash $md_location \ | $BIN_DIR/md_require_valid_metadata.bash -LE P5D \ | /usr/bin/xsltproc $LIB_DIR/remove_NameIDFormat.xsl - \ | $BIN_DIR/md_tee.bash $sourceDirectory \ > /dev/null |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
# Steps 5 and 6 # force a metadata refresh $ $BIN_DIR/md_refresh.bash -F $md_location \ | $BIN_DIR/md_require_valid_metadata.bash -LE P5D \ | /usr/bin/xsltproc $LIB_DIR/remove_NameIDFormat.xsl - \ | $BIN_DIR/md_tee.bash $sourceDirectory \ > /dev/null |
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
#!/bin/bash
# environment variables
# (also export TMPDIR if it doesn’t already exist)
export BIN_DIR=/tmp/bin
export LIB_DIR=/tmp/lib
export CACHE_DIR=/tmp/http_cache
export LOG_FILE=/tmp/bash_log.txt
# the name of this script
script_name=${0##*/}
# specify the source directory
sourceDirectory=/path/to/source/dir
# remove expired metadata from the source directory
# log alsoa checkwarning forif metadataa setdocument towill expire within two weeks
$BIN_DIR/md_sweep.bash -LE P2W $sourceDirectory >&2
status_code=$?
if [ $status_code -ne 0 ]; then
echo "ERROR: $script_name: md_sweep.bash failed ($status_code) on source directory: $sourceDirectory" >&2
fi
exit $status_code |
...