The Shibboleth IdP V4 software will leave support on September 1, 2024.

MetadataQueryProtocolExample

Owned by Scott Cantor
Last updated: Sept 21, 2021 by Rod WiddowsonVersion comment
2 min read
<!-- Load entity metadata from a remote HTTP server via the Metadata Query Protocol: https://github.com/iay/md-query The sample configuration below implicitly formulates a Metadata Query Protocol URL from the given base URL. For example, if the entityID is https://sso.example.org/sp, the provider will request the following resource: https://mdq.example.org/global/entities/https%3A%2F%2Fsso.example.org%2Fsp The sample configuration below assumes: (1) the top-level element of the XML document is signed; (2) the top-level element of the XML document is decorated with a validUntil attribute; (3) the validity interval is two weeks (P14D) in duration; and (4) the server conforms to the Metadata Query Protocol specification. The metadata is cached for efficiency. The minCacheDuration attribute (default: PT10M) and the maxCacheDuration attribute (default: PT8H) strongly influence the life cycle of metadata in the local cache. (Any cacheDuration and validUntil attributes in the metadata itself also influence the behavior of the local cache.) The goal is to avoid needless interaction with the HTTP server. To achieve this goal, you need to understand the life cycle of the metadata on the server. For this reason, it is best to ask your federation operator for specific recommendations. The HTTP Connection Attributes include the connectionRequestTimeout attribute (default: PT5S), the connectionTimeout attribute (default: PT5S), and the socketTimeout attribute (default: PT5S). The default values of these attributes are overridden in the example below. --> <MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider" connectionRequestTimeout="PT2S" connectionTimeout="PT2S" socketTimeout="PT4S"> <!-- Verify the signature on the root element of the metadata using a trusted metadata signing certificate. --> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/credentials/mdq-cert.pem"/> <!-- Require a validUntil XML attribute on the root element and make sure its value is no more than 14 days into the future. --> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/> <!-- Specify the base URL for the Metadata Query Protocol --> <MetadataQueryProtocol>https://mdq.example.org/global/</MetadataQueryProtocol> </MetadataProvider>