Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Reads in the UK federation metadata aggregate, verifies its signature, removes the shibboleth.net entities, removes all roles except IDPSSODescriptor, AttributeAuthorityDescriptor, SPSSODescriptor, and removes any person or organization contact information.

This command line configuration example:

  • reads the UK federation metadata aggregate from its distribution site
  • verifies the aggregate's signature using the X.509 certificate taken from path/to/ukfederation-2014.pem
  • removes three specific entities belonging to the Shibboleth project
  • removes all entity role descriptors other than IDPSSODescriptor, SPSSODescriptor or AttributeAuthorityDescriptor 
  • removes any person or organization contact information
  • writes the results into the file path/to/output.xml

You can execute the example as follows:

$ .../mda.sh config.xml main

The example configuration file is as follows; it has been verified with MDA version 0.9.1:

<?xml version="1.0" encoding="UTF-8"?>
<beans default-init-method="initialize"
       xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
    <bean id="httpClientBuilder" class="net.shibboleth.utilities.java.support.httpclient.HttpClientBuilder"/>
    <bean id="httpClient" factory-bean="httpClientBuilder" factory-method="buildClient"/>
 
    <!-- First, we define the stages for our pipeline -->
    <bean id="source" class="net.shibboleth.metadata.dom.DOMResourceSourceStage">
        <property name="id" value="source"/>
        <property name="parserPool">
            <bean class="net.shibboleth.utilities.java.support.xml.BasicParserPool" init-method="initialize"/>
        </property>
        <property name="DOMResource">
            <bean class="net.shibboleth.ext.spring.resource.HTTPResource">
                <constructor-arg ref="httpClient"/>
                <constructor-arg
                    value="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"/>
            </bean>
        </property>
    </bean>
 
    <bean id="validateSignature" class="net.shibboleth.metadata.dom.XMLSignatureValidationStage">
        <property name="id" value="validateSignature"/>
        <property name="verificationCertificate">
            <bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean">
                <property name="resource">
                    <bean class="org.springframework.core.io.FileSystemResource">
                        <constructor-arg>
                            <bean class="java.io.File">
                                <constructor-arg value="path/to/ukfederation-2014.pem"/>
                            </bean>
                        </constructor-arg>
                    </bean>
                </property>
            </bean>
        </property>
    </bean>
 
    <bean id="removeEntities" class="net.shibboleth.metadata.dom.saml.EntityFilterStage">
        <property name="id" value="removeEntities"/>
        <property name="designatedEntities">
            <list>
                <value>https://idp.shibboleth.net/idp/shibboleth</value>
                <value>https://issues.shibboleth.net/shibboleth</value>
                <value>https://wiki.shibboleth.net/shibboleth</value>
            </list>
        </property>
    </bean>

    <bean id="removeRoles" class="net.shibboleth.metadata.dom.saml.EntityRoleFilterStage">
        <property name="id" value="removeRoles"/>
        <property name="whitelistingRoles" value="true"/>
        <property name="designatedRoles">
            <list>
                <bean class="javax.xml.namespace.QName">
                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
                    <constructor-arg value="IDPSSODescriptor"/>
                </bean>
                <bean class="javax.xml.namespace.QName">
                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
                    <constructor-arg value="AttributeAuthorityDescriptor"/>
                </bean>
                <bean class="javax.xml.namespace.QName">
                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
                    <constructor-arg value="SPSSODescriptor"/>
                </bean>
            </list>
        </property>
    </bean>

    <bean id="removeInvalidContactPerson" class="net.shibboleth.metadata.dom.saml.ContactPersonFilterStage">
        <property name="id" value="removeInvalidContactPerson"/>
        <property name="whitelistingTypes" value="false"/>
    </bean>

    <bean id="removeOrganization" class="net.shibboleth.metadata.dom.saml.RemoveOrganizationStage">
        <property name="id" value="removeOrganization"/>
    </bean>

    <bean id="serialize" class="net.shibboleth.metadata.pipeline.SerializationStage">
        <property name="id" value="serializeIdPs"/>
        <property name="outputFile">
            <bean class="java.io.File">
                <constructor-arg value="path/to/output.xml"/>
            </bean>
        </property>
        <property name="serializer">
            <bean id="domSerializer" class="net.shibboleth.metadata.dom.DOMElementSerializer"/>
        </property>
    </bean>

    <!-- Next we define a pipeline with all the stages in it -->
    <bean id="main" class="net.shibboleth.metadata.pipeline.SimplePipeline">
        <property name="id" value="main"/>
        <property name="stages">
            <list>
                <ref bean="source"/>
                <ref bean="validateSignature"/>
                <ref bean="removeEntities"/>
                <ref bean="removeRoles"/>
                <ref bean="removeInvalidContactPerson"/>
                <ref bean="removeOrganization"/>
                <ref bean="serialize"/>
            </list>
        </property>
    </bean>
</beans>
  • No labels