This provider dynamically (on demand) loads the metadata for a Relying party from a server configured on the requirements of the draft Metadata Query Protocol specification (see base protocol, SAML profile).
Attributes
Common Attributes
The following attributes are supported for all MetadataProvider types:
Name | Type | Req? | Default | Description |
---|---|---|---|---|
type | string | Y | Specifies the exact type of metadata plugin to use | |
id | string | A label for the metadata source, used in logging and status reporting | ||
validate | boolean | false | Whether the XML should be schema validated before it is parsed. Note that some sources of metadata (e.g., ADFS) may contain a large number of extensions. The SP now includes a number of additional schemas to make validation of such extensions possible, but there are always exceptions. |
Dynamic Provider Attributes
The following attributes are common to all dynamic metadata providers (i.e., DynamicHTTPMetadataProvider
and LocalDynamicMetadataProvider
):
Name | Type | Default | Description |
---|---|---|---|
parserPoolRef | Bean ID | shibboleth.ParserPool | Identifies a Spring bean for the XML parser used to parse metadata. Generally should not be changed. |
taskTimerRef | Bean ID | Identifies a Spring bean containing a Java TaskTimer used to schedule reloads. When not set, an internal timer is created. Generally should not be changed. | |
refreshDelayFactor | Real Number (strictly between 0.0 and 1.0) | 0.75 | A factor applied to the initially determined refresh time in order to determine the next refresh time (typically to ensure refresh takes place prior to the metadata's expiration). Attempts to refresh metadata will generally begin around the product of this number and the maximum refresh delay. |
minCacheDuration | Duration | PT10M (10 minutes) | The minimum duration for which metadata will be cached before it is refreshed. |
maxCacheDuration | Duration | PT8H (8 hours) | The maximum duration for which metadata will be cached before it is refreshed. |
maxIdleEntityData | Duration | PT8H (8 hours) | The maximum duration for which metadata will be allowed to be idle (no requests for it) before it is removed from the cache. |
removeIdleEntityData | Boolean | true | Flag indicating whether idle metadata should be removed. |
cleanupTaskInterval | Duration | PT30M (30 minutes) | The interval at which the internal cleanup task should run. This task performs background maintenance tasks, such as the removal of expired and idle metadata. |
persistentCacheManagerRef 3.3 | Bean ID | The optional manager for the persistent cache store for resolved metadata. On metadata provider initialization, data present in the persistent cache will be loaded to memory, effectively restoring the state of the provider as closely as possible to that which existed before the previous shutdown. Each individual cache entry will only be loaded if 1) the entry is still valid as determined by the internal provider logic, and 2) the entry passes the (optional) predicate supplied via initializationFromCachePredicateRef . | |
persistentCacheManagerDirectory 3.3 | File specification | The directory used for an internally-constructed filesystem-based persistent cache. This is a convenience parameter to avoid specifying a full bean via | |
persistentCacheKeyGeneratorRef 3.3 | Bean ID | internal default instance | Identifies a Spring bean for a Function which generates the string key used with the cache manager. The default implementation produces the lower-case hex-encoded SHA-1 digest of the entityID of the EntityDescriptor . |
initializeFromPersistentCacheInBackground 3.3 | Boolean | true | Flag indicating whether should initialize from the persistent cache in the background. Initializing from the cache in the background will improve IdP startup times. |
backgroundInitializationFromCacheDelay 3.3 | Duration | PT2S (2 seconds) | The delay after which to schedule the background initialization from the persistent cache when |
initializationFromCachePredicateRef 3.3 | Bean ID | an "always true" predicate | Identifies a Spring bean for an optional |
Remote Dynamic Provider Attributes
The following attributes are supported only for the remote dynamic MetadataProvider types (MDQ, Dynamic):
Name | Type | Default | Description |
---|---|---|---|
cacheDirectory | string | Defines a directory in which downloaded metadata will be cached. During startup the directory is also scanned and the metadata loaded to prime the in-memory cache. This directory should be unique for every metadata provider configured. A relative path will be applied relative to the /var/cache/shibboleth root, and the directory will be created if it does not exist. | |
backgroundInitialize | boolean | true | Flag indicating whether the plugin should initialize itself from the cache in the background to improve startup time. It has no effect if |
verifyHost | boolean | true | If true, attempts to resolve metadata using a TLS-enabled URL will verify the hostname in the server's certificate against the expected hostname (but this is the extent of the validation performed unless other configuration is in place) |
ignoreTransport | boolean | false | If true, authentication of the transport layer will be ignored when resolving metadata. If false, a |
Accept 3.1 | string | "application/samlmetadata+xml" | Overrides the standard Accept header used to request the SAML metadata content type |
Required attribute
Name | Type | Default | Description |
---|---|---|---|
| String | Required | Specifies the base url of the metadata provide |
Child Elements
Common Child Elements
The following child elements are supported across all MetadataProvider types:
Name | Cardinality | Description |
---|---|---|
any | Metadata filter plugins to run | |
<KeyInfoResolver> | 0 or 1 | Not generally used, it provides an extension point to override the low-level handling of |
Remote Provider Child Elements
The following child elements are supported by the remote, on-demand MetadataProvider types (MDQ, Dynamic):
Name | Cardinality | Description |
---|---|---|
0 or 1 | A TrustEngine plugin to apply to a server's certificate when resolving metadata using a TLS-enabled URL. This trust engine obviously cannot require the use of metadata to operate. If not supplied, the |
Example
<MetadataProvider type="MDQ" baseUrl="http://mdq.example.org/global/" cacheDirectory="mdqCache"> <MetadataFilter type="Signature" certificate="/path/to/the/pemfile.pem"/> </MetadataProvider>