Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Excerpt
hiddentrue

Reads in the UK federation metadata aggregate, verifies its signature, removes the shibboleth.net some specific entities, removes all roles except IDPSSODescriptor, AttributeAuthorityDescriptor, SPSSODescriptor, and removes any person or organization contact information.

This command line configuration example:

  • reads the UK federation metadata aggregate from its distribution site

  • verifies the aggregate's signature using the X.509 certificate taken from path/to/input/ukfederation-2014.pem, terminating processing if this is not possible

  • removes three

    specific

    (imaginary) entities belonging to the

    Shibboleth project

    example.com domain

  • removes all entity role descriptors other than IDPSSODescriptor, SPSSODescriptor or AttributeAuthorityDescriptor 

  • removes any person or organization contact information

  • writes the results into the file path/to/output/output.xml

You can execute the example as follows:

Code Block
languagebash
$ .../mda.sh configfilter-aggregate.xml main

The example configuration file is as follows; it has been verified with MDA version 0.9.110.0-SNAPSHOT as of 2024-05-09:

Code Block
linenumbers
languagexmltrue
<?xml version="1.0" encoding="UTF-8"?>
<beans default-init-method="initialize"
       xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">

    <bean id="httpClientBuilder" classparent="net.shibboleth.utilities.java.support.httpclient.mda.HttpClientBuilder"/>
    <bean id="httpClient" factory-bean="httpClientBuilder" factory-method="buildClient"/>

    <!-- Import the Standard bean definition resource. -->
    <!-- See https://shibboleth.atlassian.net/wiki/spaces/MA1/pages/3162439683/Standard+bean+definition+resource -->
    <import resource="classpath:net/shibboleth/metadata/beans.xml"/>

    <!-- First, we define the stages for our pipeline -->

    <bean id="source" classparent="net.shibboleth.metadata.dommda.DOMResourceSourceStage">
        <property name="id" value="source"/>
        <property name="parserPool">
            <bean classparent="net.shibboleth.utilities.java.support.xml.BasicParserPool" init-method="initialize"mda.BasicParserPool"/>
        </property>
        <property name="DOMResource">
            <bean classparent="net.shibboleth.ext.spring.resource.mda.HTTPResource">
                <constructor-arg ref="httpClient"/>
                <constructor-arg
                    value="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"/>
            </bean>
        </property>
    </bean>

    <!--
        Validate the signature on an aggregate. If the signature is not
        present or cannot be validated, this will add an Error status to
        the item. This will not by itself result in processing being
        terminated.
    -->
    <bean id="validateSignature" classparent="net.shibboleth.metadata.dommda.XMLSignatureValidationStage">
        <property name="id" value="validateSignature"/>
        <property name="verificationCertificate">
            <bean classparent="net.shibboleth.ext.spring.factory.mda.X509CertificateFactoryBean">
                <property name="resource">
                    <bean class="org.springframework.core.io.FileSystemResource">
                        <constructor-arg>
                            <bean class="java.io.File">
                                <constructor-arg value="path/to/input/ukfederation-2014.pem"/>
                            </bean>
                        </constructor-arg>
                    </bean>
                </property>
            </bean>
        </property>
    </bean>

    <!--
        errorAnnouncer

        A pipeline stage that logs any errors present,
        but takes no action on them.
    -->
    <bean id="removeEntities" class="net.shibboleth.metadata.dom.saml="errorAnnouncer" parent="mda.StatusMetadataLoggingStage">
        <property name="id" value="errorAnnouncer"/>
        <property name="selectionRequirements">
            <list>
                <value>#{T(net.shibboleth.metadata.ErrorStatus)}</value>
            </list>
        </property>
    </bean>

    <!--
        errorTerminator

        This pipeline stage causes CLI termination if any item is marked with an error status.
    -->
    <bean id="errorTerminator" parent="mda.ItemMetadataTerminationStage">
        <property name="id" value="errorTerminator"/>
        <property name="selectionRequirements">
            <list>
                <value>#{T(net.shibboleth.metadata.ErrorStatus)}</value>
            </list>
        </property>
    </bean>

    <bean id="removeEntities" parent="mda.EntityFilterStage">
        <property name="id" value="removeEntities"/>
        <property name="designatedEntities">
            <list>
                <value>https://idp.shibbolethexample.netcom/idp/shibboleth</value>
                <value>https://issues.shibbolethexample.netcom/shibboleth</value>
                <value>https://wiki.shibbolethexample.netcom/shibboleth</value>
            </list>
        </property>
    </bean>

    <bean id="removeRoles" classparent="net.shibboleth.metadata.dom.saml.mda.EntityRoleFilterStage">
        <property name="id" value="removeRoles"/>
        <property name="whitelistingRoleskeepingRoles" value="true"/>
        <property name="designatedRoles">
            <list>
                <bean class="javax.xml.namespace.QName">
                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
                    <constructor-arg value="IDPSSODescriptor"/>
                </bean>
                <bean class="javax.xml.namespace.QName">
                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
                    <constructor-arg value="AttributeAuthorityDescriptor"/>
                </bean>
                <bean class="javax.xml.namespace.QName">
                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
                    <constructor-arg value="SPSSODescriptor"/>
                </bean>
            </list>
        </property>
    </bean>

    <bean id="removeInvalidContactPerson" classparent="net.shibboleth.metadata.dom.saml.mda.ContactPersonFilterStage">
        <property name="id" value="removeInvalidContactPerson"/>
        <property name="whitelistingTypeskeepingTypes" value="false"/>
    </bean>

    <bean id="removeOrganization" classparent="net.shibboleth.metadata.dom.saml.mda.RemoveOrganizationStage">
        <property name="id" value="removeOrganization"/>
    </bean>

    <bean id="serialize" classparent="net.shibboleth.metadata.pipelinemda.SerializationStage">
        <property name="id" value="serializeIdPs"/>
        <property name="outputFile">
            <bean class="java.io.File">
                <constructor-arg value="path/to/output/output.xml"/>
            </bean>
        </property>
        <property name="serializer">
            <bean id="domSerializer" classparent="net.shibboleth.metadata.dommda.DOMElementSerializer"/>
        </property>
    </bean>

    <!-- Next we define a pipeline with all the stages in it -->
    <bean id="main" classparent="net.shibboleth.metadata.pipelinemda.SimplePipeline">
        <property name="id" value="main"/>
        <property name="stages">
            <list>
                <ref bean="source"/>
                <ref bean="validateSignature"/>
                <ref bean="errorAnnouncer"/>
                <ref bean="errorTerminator"/>
                <ref bean="removeEntities"/>
                <ref bean="removeRoles"/>
                <ref bean="removeInvalidContactPerson"/>
                <ref bean="removeOrganization"/>
                <ref bean="serialize"/>
            </list>
        </property>
    </bean>
</beans>

...