Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

This provider dynamically (on demand) loads the metadata for a Relying party from a server configured on the requirements of the draft Metadata Query Protocol specification (see base protocolSAML profile).

Attributes

Common Attributes

The following attributes are supported for all MetadataProvider types:

Name

Type

Req?

Default

Description

type

string

Y

Specifies the exact type of metadata plugin to use

id

string

A label for the metadata source, used in logging and status reporting

validate

boolean


false

Whether the XML should be schema validated before it is parsed. Note that some sources of metadata (e.g., ADFS) may contain a large number of extensions. The SP now includes a number of additional schemas to make validation of such extensions possible, but there are always exceptions.

Dynamic Provider Attributes

The following attributes are common to all dynamic metadata providers (i.e., DynamicHTTPMetadataProvider and LocalDynamicMetadataProvider):

NameTypeDefaultDescription
parserPoolRefBean IDshibboleth.ParserPoolIdentifies a Spring bean for the XML parser used to parse metadata. Generally should not be changed.
taskTimerRefBean ID
Identifies a Spring bean containing a Java TaskTimer used to schedule reloads. When not set, an internal timer is created. Generally should not be changed.
refreshDelayFactorReal Number (strictly between 0.0 and 1.0)0.75A factor applied to the initially determined refresh time in order to determine the next refresh time (typically to ensure refresh takes place prior to the metadata's expiration). Attempts to refresh metadata will generally begin around the product of this number and the maximum refresh delay.
minCacheDurationDurationPT10M (10 minutes)The minimum duration for which metadata will be cached before it is refreshed.
maxCacheDurationDurationPT8H (8 hours)The maximum duration for which metadata will be cached before it is refreshed.
maxIdleEntityDataDurationPT8H (8 hours)

The maximum duration for which metadata will be allowed to be idle (no requests for it) before it is removed from the cache.

removeIdleEntityDataBooleantrueFlag indicating whether idle metadata should be removed.
cleanupTaskInterval                          DurationPT30M (30 minutes)

The interval at which the internal cleanup task should run.  This task performs background maintenance tasks, such as the removal of expired and idle metadata.

persistentCacheManagerRef 3.3Bean ID
The optional manager for the persistent cache store for resolved metadata.  On metadata provider initialization, data present in the persistent cache will be loaded to memory, effectively restoring the state of the provider as closely as possible to that which existed before the previous shutdown.  Each individual cache entry will only be loaded if 1) the entry is still valid as determined by the internal provider logic, and 2) the entry passes the (optional) predicate supplied via initializationFromCachePredicateRef.
persistentCacheManagerDirectory 3.3File specification

The directory used for an internally-constructed filesystem-based persistent cache. This is a convenience parameter to avoid specifying a full bean via persistentCacheManagerRef. This option will be ignored if persistentCacheManagerRef is specified.

persistentCacheKeyGeneratorRef 3.3Bean IDinternal default instanceIdentifies a Spring bean for a Function which generates the string key used with the cache manager. The default implementation produces the lower-case hex-encoded SHA-1 digest of the entityID of the EntityDescriptor.
initializeFromPersistentCacheInBackground 3.3BooleantrueFlag indicating whether should initialize from the persistent cache in the background.  Initializing from the cache in the background will improve IdP startup times.
backgroundInitializationFromCacheDelay 3.3DurationPT2S (2 seconds)

The delay after which to schedule the background initialization from the persistent cache when initializeFromPersistentCacheInBackground=true.

initializationFromCachePredicateRef 3.3Bean IDan "always true" predicate

Identifies a Spring bean for an optional Predicate which determines whether a given entity should be loaded from the persistent cache at resolver initialization time.

Remote Dynamic Provider Attributes

The following attributes are supported only for the remote dynamic MetadataProvider types (MDQDynamic):

Name

Type

Default

Description

cacheDirectory

string

Defines a directory in which downloaded metadata will be cached. During startup the directory is also scanned and the metadata loaded to prime the in-memory cache. This directory should be unique for every metadata provider configured.

A relative path will be applied relative to the /var/cache/shibboleth root, and the directory will be created if it does not exist.

backgroundInitialize

boolean

true

Flag indicating whether the plugin should initialize itself from the cache in the background to improve startup time. It has no effect if cacheDirectory is unset.

verifyHost

boolean

true

If true, attempts to resolve metadata using a TLS-enabled URL will verify the hostname in the server's certificate against the expected hostname (but this is the extent of the validation performed unless other configuration is in place)

ignoreTransport

boolean

false

If true, authentication of the transport layer will be ignored when resolving metadata. If false, a <TrustEngine> child element must be specified.

Accept 3.1

string

"application/samlmetadata+xml"

Overrides the standard Accept header used to request the SAML metadata content type

Required attribute

Name

Type

Default

Description

baseURL

StringRequired

Specifies the base url of the metadata provide

Child Elements

Common Child Elements

The following child elements are supported across all MetadataProvider types:

Name

Cardinality

Description

<MetadataFilter>

any

Metadata filter plugins to run

<KeyInfoResolver>

0 or 1

Not generally used, it provides an extension point to override the low-level handling of <ds:KeyInfo> elements and would be necessary to add support for some kind of custom XML key representation

Remote Provider Child Elements

The following child elements are supported by the remote, on-demand MetadataProvider types (MDQDynamic):

Name

Cardinality

Description

<TrustEngine>

0 or 1

A TrustEngine plugin to apply to a server's certificate when resolving metadata using a TLS-enabled URL.

This trust engine obviously cannot require the use of metadata to operate. If not supplied, the ignoreTransport attribute must be set to true to avoid a configuration error. This is done to prevent a misconfigured trust engine from resulting in insecure metadata resolution.

Example

MDQ provider
<MetadataProvider type="MDQ" baseUrl="http://mdq.example.org/global/" cacheDirectory="mdqCache">
    <MetadataFilter type="Signature" certificate="/path/to/the/pemfile.pem"/>
</MetadataProvider>
  • No labels