MetadataQueryProtocolExample
- Scott Cantor
Owned by Scott Cantor
May 02, 2023
2 min read
Loading data...
<!--
Load entity metadata from a remote HTTP server via the Metadata
Query Protocol: https://github.com/iay/md-query
The sample configuration below implicitly formulates a Metadata Query
Protocol URL from the given base URL. For example, if the entityID is
https://sso.example.org/sp, the provider will request the following
resource:
https://mdq.example.org/global/entities/https%3A%2F%2Fsso.example.org%2Fsp
The sample configuration below assumes: (1) the top-level element of
the XML document is signed; (2) the top-level element of the XML
document is decorated with a validUntil attribute; (3) the validity
interval is two weeks (P14D) in duration; and (4) the server conforms
to the Metadata Query Protocol specification.
The metadata is cached for efficiency. The minCacheDuration attribute
(default: PT10M) and the maxCacheDuration attribute (default: PT8H)
strongly influence the life cycle of metadata in the local cache. (Any
cacheDuration and validUntil attributes in the metadata itself also
influence the behavior of the local cache.) The goal is to avoid needless
interaction with the HTTP server. To achieve this goal, you need to
understand the life cycle of the metadata on the server. For this reason,
it is best to ask your federation operator for specific recommendations.
The HTTP Connection Attributes include the connectionRequestTimeout
attribute (default: PT5S), the connectionTimeout attribute (default: PT5S),
and the socketTimeout attribute (default: PT5S). The default values of these
attributes are overridden in the example below.
-->
<MetadataProvider id="DynamicEntityMetadata" xsi:type="DynamicHTTPMetadataProvider"
connectionRequestTimeout="PT2S"
connectionTimeout="PT2S"
socketTimeout="PT4S">
<!--
Verify the signature on the root element of the metadata
using a trusted metadata signing certificate.
-->
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/credentials/mdq-cert.pem"/>
<!--
Require a validUntil XML attribute on the root element and
make sure its value is no more than 14 days into the future.
-->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/>
<!-- Specify the base URL for the Metadata Query Protocol -->
<MetadataQueryProtocol>https://mdq.example.org/global/</MetadataQueryProtocol>
</MetadataProvider>
Â