This article describes a proof-of-concept implementation of a metadata early warning system designed to work in conjunction with a Shibboleth FileBackedHTTPMetadataProvider, one of two HTTPMetadataProviders implemented in the Shibboleth IdP FileBackedHTTPMetadataProvider.
Contents
Table of Contents
...
The rest of this article assumes you have configured a FileBackedHTTPMetadataProvider in the Shibboleth IdP. The backing file will be used as a source of (trusted) metadata:
...
Requires the
@validUntilattribute to exist and ensures that its value is in the future but not too far into the futureRequires the
@creationInstantattribute to exist and ensures that its value is in the past- Warns if the metadata is soon-to-be-expired
- Warns if the metadata is stale (but not soon-to-be-expired)
...
Now try the following experiments:
Assuming the Validity Interval is in fact 14 days, set Set
maxValidityIntervalto something less than the actual length of the Validity Interval and watch the process fail: an error message will be logged and the metadata will be removed from the pipeline.Set
maxValidityIntervalto something more than the actual length of the Validity Interval and watch the process fail: a warning message will be logged.Again assuming Assuming the actual Validity Interval is 14 days, set
maxValidityIntervalto something more the subintervals to overlapping values (say,-E P3D -F P12D) and watch the process fail: a warning message will be logged.Set the
freshnessIntervalto some ridiculously small value (likePT60Ssay,-F PT60S) and watch the process fail: a warning message will be logged.Set the
expirationWarningIntervalto some ridiculously large value (relative to the actual Validity Intervalsay,-E P13D -F PT60S) and watch the process fail: a warning message will be logged.
Once When you've confirmed that the early warning system is behaving as expected, continue with the following configuration steps.
...