Versions Compared

Version Old Version 2 New Version Current
Changes made by

Rod Widdowson

Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This article describes a semi-automatic process for managing untrusted SAML metadata using a Shibboleth LocalDynamicMetadataProvider and a complementary set of command-line tools.

...

We start with a relatively simple example of remote metadata:

https://shibboleth.irbmanager.com/metadata.xml

  • A non-InCommon Shibboleth SP that consumes InCommon metadata

  • Last-Modified: Tue, 28 Jul 2015 13:32:54 GMT

  • Supports HTTP Conditional GET

  • See the relevant discussion thread on the mailing list

If you trust the SP owner to do the Right Thing, and the reliance on commercial TLS is not a concern, configure a Shibboleth FileBackedHTTPMetadataProvider to refresh the metadata at least daily:

...

Moreover, the NameIDFormat elements in AWS metadata are bogus. The elements must be removed from metadata in order for the integration to be successful. Since AWS metadata includes a @validUntil attribute, downloading a static copy of the metadata is not advisable, however.

https://signin.aws.amazon.com/static/saml-metadata.xml

  • Last-Modified date unknown

  • Does not support HTTP Conditional GET (no ETag in response)

  • Unauthorized URN-based entityID (urn:amazon:webservices)

  • Includes @validUntil attribute (expires annually)

  • No encryption certificate

  • NameIDFormat is wrong (showstopper)

    • Current NameIDFormat values in metadata:

      • urn:oasis:names:tc:SAML:2.0:nameid-format:transient

      • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

    • Login apparently works fine when these two NameIDFormat values are removed from metadata

    • This might work: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • Role-based attribute release is tricky (see the AWS documentation and search the Shibboleth archives for details)

  • See relevant discussion thread on the mailing list

As in the previous example, initialize both the cache and the source directory, but this time filter the NameIDFormat elements from the metadata before copying to the source directory:

...

Since the server does not support HTTP Conditional GET, the tool used in the previous example (http_cache_check.bash) will not work. Here we use a diff-like tool that compares the file on the server to the cached file byte-by-byte:

...