Versions Compared

Old Version 18

changes.mady.by.user trscavo@ncsa.illinois.edu

Saved on

compared with

New Version 19

changes.mady.by.user trscavo@ncsa.illinois.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This article describes a semi-automatic process for managing untrusted SAML metadata using a Shibboleth LocalDynamicMetadataProvider and a complementary set of command-line tools.

...

We start with a relatively simple example of remote metadata:

https://shibboleth.irbmanager.com/metadata.xml

  • A non-InCommon Shibboleth SP that consumes InCommon metadata

  • Last-Modified: Tue, 28 Jul 2015 13:32:54 GMT

  • Supports HTTP Conditional GET

  • See the relevant discussion thread on the mailing list

If you trust the SP owner to do the Right Thing, and the reliance on commercial TLS is not a concern, configure a Shibboleth FileBackedHTTPMetadataProvider to refresh the metadata at least daily:

...

Moreover, the NameIDFormat elements in AWS metadata are bogus. The elements must be removed from metadata in order for the integration to be successful. Since AWS metadata includes a @validUntil attribute, downloading a static copy of the metadata is not advisable, however.

https://signin.aws.amazon.com/static/saml-metadata.xml

  • Last-Modified date unknown

  • Does not support HTTP Conditional GET (no ETag in response)

  • Unauthorized URN-based entityID (urn:amazon:webservices)

  • Includes @validUntil attribute (expires annually)

  • No encryption certificate

  • NameIDFormat is wrong (showstopper)

    • Current NameIDFormat values in metadata:

      • urn:oasis:names:tc:SAML:2.0:nameid-format:transient

      • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

    • Login apparently works fine when these two NameIDFormat values are removed from metadata

    • This might work: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • Role-based attribute release is tricky (see the AWS documentation and search the Shibboleth archives for details)

  • See relevant discussion thread on the mailing list

As in the previous example, initialize both the cache and the source directory, but this time filter the NameIDFormat elements from the metadata before copying to the source directory:

...

Code Block
languagebash
titleExample 2: Cron job to sweep the source directory
collapsetrue
#!/bin/bash

# environment variables
# (also export TMPDIR if it doesn’t already exist)
export BIN_DIR=/tmp/bin
export LIB_DIR=/tmp/lib
export CACHE_DIR=/tmp/http_cache
export LOG_FILE=/tmp/bash_log.txt

# the name of this script
script_name=${0##*/}

# specify the source directory
sourceDirectory=/path/to/source/dir

# log a warning if a metadata file is due remove expired metadata from the source directory
# also check for metadata set to expire within two weeks
$BIN_DIR/md_sweep.bash -L P2W $sourceDirectory >&2
status_code=$?
if [ $status_code -ne 0 ]; then
	echo "ERROR: $script_name: md_sweep.bash failed ($status_code) on source directory: $sourceDirectory" >&2
fi

exit $status_code

Note that the above script removes all expired metadata from the source directory, not just AWS metadata.