Versions Compared

Old Version 1

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In a nutshell, current best practices for the management of SAML metadata include the following specific recommendations:

  1. Use FilesystemMetadataProvider or LocalDynamicMetadataProvider for local metadata

  2. Use FileBackedHTTPMetadataProvider or DynamicHTTPMetadataProvider for remote metadata

  3. Use entity attributes to drive automated relying party configuration (this is called a metadata-driven configuration)

In addition, consider using one or more MetadataFilter plugins to secure or optimize your configuration; for example the SchemaValidationFilter to ensure your metadata has no obvious errors in it, or the EntityRoleFilter to decrease the memory use of the loaded metadata.

...

There are two basic approaches to local metadata management:

  1. Load metadata in a background thread (using FilesystemMetadataProvider )

  2. Load metadata just-in-time as needed (using LocalDynamicMetadataProvider )

Tip

Store the primary source files off-IdP

Although metadata is retrieved from the local IdP filesystem, the primary source files need not be stored on the IdP itself. The files can be stored elsewhere and then pushed to the IdP as needed. Command-line tools such as rcp or rsync work well for this purpose.

...

Perhaps the simplest way to manage local metadata is to configure one or more metadata providers of type FilesystemMetadataProvider . As its name implies, a FilesystemMetadataProvider loads (and periodically reloads) metadata from the file system. It does this in a background thread, so that the load operation is invisible to the end user. A simple example follows:

Include Page
IDP5:FilesystemMetadataProviderExampleIDP5:
FilesystemMetadataProviderExample

...

Remote metadata is loaded from a remote source via an HTTP metadata provider. There are two basic approaches:

  1. Out-of-band metadata refresh (using FileBackedHTTPMetadataProvider)

  2. In-band metadata query (using DynamicHTTPMetadataProvider )

Metadata refresh and metadata query are commonly used to consume metadata published by a trusted third party called a Federation. There are more than 50 recognized Federations in the R&E sector worldwide. Consult the eduGAIN technical site for an up-to-date list.

...

For illustration, let's assume that: (1) the top-level <md:EntitiesDescriptor> element of the XML document is signed; (2) the top-level <md:EntitiesDescriptor> element of the XML document is decorated with a validUntil attribute; (3) the validity interval is two weeks (P14D) in duration; and (4) the server supports HTTP conditional GET. The sample metadata provider shown below retrieves the metadata, verifies the signature, and checks the expiration date before loading the metadata into IdP memory:

Include Page
IDP5:RemoteMetadataAggregateExampleIDP5:
RemoteMetadataAggregateExample

...

For illustration, let's assume that: (1) the top-level <md:EntityDescriptor> element of the XML document is signed; (2) the top-level <md:EntityDescriptor> element of the XML document is decorated with a validUntil attribute; (3) the validity interval is two weeks (P14D) in duration; and (4) the server conforms to the Metadata Query Protocol specification. The sample metadata provider shown below retrieves the metadata, verifies the signature, and checks the expiration date before loading the metadata into IdP memory:

Include Page
IDP5:MetadataQueryProtocolExampleIDP5:
MetadataQueryProtocolExample

See the DynamicHTTPMetadataProvider topic for more information.

...