Every potential source of metadata is declared to the Discovery Service by a <MetadataProvider>
element in the $DS_HOME/wayfconfig.xml
file.
If the wayfconfig.xml file is changed, you need to restart the service |
The <MetadataProvider>
element must have the following attributes
file:<LocalPath>
, http://<RemotePath>
and https://<RemotePath>
In addition, if the http://
or form https://<RemotePath>
is used, the following attributes may be specified:
http://
and https://
urls.In all cases, for releases starting V1.2.0, the following attributes to perform extra data validation, or the reload frequency,
Setting the min and max refresh delay to the same value is a nonsensical configuration. Don't do it. |
<MetadataProvider displayName="Local Federation" identifier="FileFed" url="file:///etc/DiscoveryService/metadata/sites.xml"/> <MetadataProvider displayName="UK Federation" identifier="UkFed" certicateFile="/etc/metadata/ukfederation.pem" maxValidityInterval = "P7D" backingFile="/etc/metadata/ukfed_store.xml" url="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"/> |
In all cases, the Discovery Service will reload metadata as soon as it has been changed. It is not necessary to restart the service |
If the metadata contains <DiscoveryResponse>
elements, then the binding attribute is checked. If an entity has an invalid binding then it is removed from the metadata and a note written to the log. If required the behavior can be limited to issuing a warning bu setting the element "warnOnBadBinding" in the <Default>
configuration to be "true".
Once a metadata source has been declared, it is associated with a specific location via the <DiscoveryServiceHandler>
element.
<DiscoveryServiceHandler [...]> <Federation identifier="UkFed"/> [...] </DiscoveryServiceHandler> |
The DiscoveryServiceHandler is discussed in more details in DSUserInterface
A <MetadataProvider>
may have one or more custom filters added (written in Java). Each filter has to implement org.opensaml.saml2.metadata.provider.MetadataFilter
and have a constructor which take a single parameter of type org.w3c.dom.Element
(this being the element which defines the filter as described below).
A filter is associated with a Metadata Provider via a <Filter>
element. This is unstructured. It may have any attributes and sub elements which can be used to provide parameters to the code. It must have the following attributes:
<MetadataProvider [...]> <Filter identifier="Filter1" type="uk.ac.ed.sdss.FilterForStuff"> <MoreSpecificStuff param="wibble" /> </Filter> <Filter identifier="Filter2" type="edu.internet2.OtherFilter"> <Stuff> <EvenMoreStuff/> </Stuff> </Filter> </MetadataProvider> |
The DiscoveryService is shipped with a simple white-list and black-list filter. Given a list of entities, the metadata will be adjusted to remove all elements which are not in the list (white list operation) or to remove all entities which are on the list (blacklist operation).
The filter is configured thus:
<Filter identifier="Black" type="edu.internet2.middleware.shibboleth.wayf.plugins.provider.ListFilter" excludeEntries="true"> <EntityId>https://first.blacklisted.entity.edu/IdP</EntityId> <EntityId>https://another.blacklisted.entity.edu/IdP</EntityId> </Filter> |
The excludeEntries
controls whether elements on the list are excluded from the metadata (blacklist operation) or have to be included (white list operation).
The resulting metadata must include all SPs which interact with the DS. This is particularly important to remember when buidling white list (excludeEntries="false") filters |