/
Managing Untrusted Metadata

The Shibboleth IdP V4 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP5 wiki space for current documentation on the supported version.

Managing Untrusted Metadata

This article describes a semi-automatic process for managing untrusted SAML metadata using a Shibboleth LocalDynamicMetadataProvider and a complementary set of command-line tools.

First configure a Shibboleth LocalDynamicMetadataProvider. In particular, configure a sourceDirectory as a local repository of metadata. The latter is referred to as $sourceDirectory in the code fragments below.

Install the SAML Library of command-line tools. Note that BIN_DIR and LIB_DIR are environment variables created during the installation process. These environment variables are used repeatedly in the code fragments below.

Identify a metadata source location to be managed. Perform the following sequence of steps for each metadata source location:

  1. Prime the cache with a copy of the metadata

  2. Filter the metadata into the source directory of the LocalDynamicMetadataProvider

  3. Check the metadata on the server

  4. If the metadata on the server is different than the metadata in cache, investigate the differences

  5. If the differences are acceptable, update the cache with fresh metadata

  6. Filter the metadata into the source directory of the LocalDynamicMetadataProvider

  7. Go to step 3

The following examples illustrate the basic process.

Example 1: IRBManager

We start with a relatively simple example of remote metadata:

https://shibboleth.irbmanager.com/metadata.xml

  • A non-InCommon Shibboleth SP that consumes InCommon metadata

  • Last-Modified: Tue, 28 Jul 2015 13:32:54 GMT

  • Supports HTTP Conditional GET

  • See the relevant discussion thread on the mailing list

If you trust the SP owner to do the Right Thing, and the reliance on commercial TLS is not a concern, configure a Shibboleth FileBackedHTTPMetadataProvider to refresh the metadata at least daily:

Example 1: Configure a FileBackedHTTPMetadataProvider