The Shibboleth IdP V4 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP5 wiki space for current documentation on the supported version.
Managing Untrusted Metadata
This article describes a semi-automatic process for managing untrusted SAML metadata using a Shibboleth LocalDynamicMetadataProvider
and a complementary set of command-line tools.
First configure a Shibboleth LocalDynamicMetadataProvider. In particular, configure a sourceDirectory
as a local repository of metadata. The latter is referred to as $sourceDirectory
in the code fragments below.
Install the SAML Library of command-line tools. Note that BIN_DIR
and LIB_DIR
are environment variables created during the installation process. These environment variables are used repeatedly in the code fragments below.
Identify a metadata source location to be managed. Perform the following sequence of steps for each metadata source location:
Prime the cache with a copy of the metadata
Filter the metadata into the source directory of the
LocalDynamicMetadataProvider
Check the metadata on the server
If the metadata on the server is different than the metadata in cache, investigate the differences
If the differences are acceptable, update the cache with fresh metadata
Filter the metadata into the source directory of the
LocalDynamicMetadataProvider
Go to step 3
The following examples illustrate the basic process.
Example 1: IRBManager
We start with a relatively simple example of remote metadata:
https://shibboleth.irbmanager.com/metadata.xml
A non-InCommon Shibboleth SP that consumes InCommon metadata
Last-Modified: Tue, 28 Jul 2015 13:32:54 GMT
Supports HTTP Conditional GET
See the relevant discussion thread on the mailing list
If you trust the SP owner to do the Right Thing, and the reliance on commercial TLS is not a concern, configure a Shibboleth FileBackedHTTPMetadataProvider to refresh the metadata at least daily: