Versions Compared

Old Version 6

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 7

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The underlying web interface, which is managed as anĀ AdministrativeConfiguration, looks like this:

Code Block
http[s]://localhost/idp/profile/admin/mdquery?entityID=https%3A%2F%2Fsp.example.org%2Fsp

The same thing on the command line would be:

Code Block
$ /opt/shibboleth-idp/bin/mdquery.sh -e https://sp.example.org/sp

The parameters supported and their corresponding command line options are:

Query String

Command Line

Cardinality

Description

entityID

--entityID,

-e

RequiredEntityID The entityID to find metadata for

protocol

--protocol


Only 1 may be present

Protocol to find metadata role for

saml1

--saml1

Queries for SAML 1.1 role

saml2

--saml2

Queries for SAML 2.0 role

cas

--cas

Queries for CAS role

The tool essentially reproduces the results that would ordinarily be produced during metadata lookup in any of the "protocol" request flows.

...

V4.1 includes properties to control various aspects of the flow's behavior using an internally-defined bean that may be overridden if required.

FDXML

Localtabgroup

Localtab-live
activetrue
titleProperties (V4.1+)

The general properties configuring this flow via admin/admin.properties are:

NameDefaultDescription
idp.mdquery.loggingMetadataQueryAudit log identifier for flow
idp.mdquery.accessPolicyAccessByIPAddressName of access control policy for request authorization
idp.mdquery.authenticatedfalseWhether authentication should be performed prior to access control evaluation
idp.mdquery.nonBrowserSupportedfalseWhether the flow should allow for non-browser clients during authentication
idp.mdquery.resolveAttributesfalseWhether attributes should be resolved prior to access control evaluation

Localtab

id
-live
titleFlow Descriptor XML (V4.1+)

To replace the internally defined flow descriptor bean, the following XML is required:

Code Block
languagexml
<util:list id="shibboleth.AvailableAdminFlows">
 
    <bean parent="shibboleth.AdminFlow"
        c:id="http://shibboleth.net/ns/profiles/mdquery"
        p:loggingId="%{idp.mdquery.logging:MetadataQuery}"
        p:policyName="%{idp.mdquery.accessPolicy:AccessByIPAddress}"
        p:nonBrowserSupported="%{idp.mdquery.nonBrowserSupported:false}"
        p:authenticated="%{idp.mdquery.authenticated:false}"
        p:resolveAttributes="%{idp.mdquery.resolveAttributes:false}" />
 
</util:list>

In older versions and upgraded systems, this list is defined in conf/admin/general-admin.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.