/
RemoteMetadataAggregateExample

The Shibboleth IdP V4 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP5 wiki space for current documentation on the supported version.

RemoteMetadataAggregateExample

Owned by Scott Cantor
Last updated: Nov 02, 2022 by Rod Widdowson
<!-- Load (and reload) a signed metadata aggregate from a remote HTTP server. This sample configuration assumes: (1) the top-level element of the XML document is signed; (2) the top-level element of the XML document is decorated with a validUntil attribute; (3) the validity interval is two weeks (P14D) in duration; and (4) the server supports HTTP conditional GET. The metadata refresh process is influenced by the configured values of the minRefreshDelay attribute (default: PT30S) and the maxRefreshDelay attribute (default: PT4H) and also by any cacheDuration and validUntil attributes in the metadata itself. If the server does not support HTTP conditional GET, the attributes should be adjusted accordingly. --> <MetadataProvider id="RemoteMetadataAggregate" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/federation-metadata-copy.xml" metadataURL="http://example.org/metadata/federation-metadata.xml"> <!-- Verify the signature on the root element of the metadata aggregate using a trusted metadata signing certificate. --> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="%{idp.home}/conf/metadata/md-cert.pem"/> <!-- Require a validUntil XML attribute on the root element and make sure its value is no more than 14 days into the future. --> <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/> <!-- Consume all SP metadata in the aggregate --> <MetadataFilter xsi:type="EntityRole"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter> </MetadataProvider>

 

Related content