MetadataQuery

Owned by Scott Cantor
Last updated: Jun 12, 2023
2 min read

This interface provides a mechanism to query the IdP's Metadata resolver(s).  This can be used as a debugging aid ("Is the IdP really seeing the metadata I think it is?") and also as a way of forcing specific entities into cache (which might be relevant for entities loaded via DynamicHTTPMetadataProvider or LocalDynamicMetadataProvider).

The underlying web interface, which is managed as an AdministrativeConfiguration, looks like this:

http[s]://localhost/idp/profile/admin/mdquery?entityID=https%3A%2F%2Fsp.example.org%2Fsp

The same thing on the command line would be:

$ /opt/shibboleth-idp/bin/mdquery.sh -e https://sp.example.org/sp

The parameters supported and their corresponding command line options are:

Query String

Command Line

Cardinality

Description

Query String

Command Line

Cardinality

Description

entityID

--entityID, -e

Required

The entityID to find metadata for

protocol

--protocol



Only 1 may be present

Protocol to find metadata role for

saml1

--saml1

Queries for SAML 1.1 role

saml2

--saml2

Queries for SAML 2.0 role

cas

--cas

Queries for CAS role

The tool essentially reproduces the results that would ordinarily be produced during metadata lookup in any of the "protocol" request flows.

Reference

The general properties configuring this flow via admin/admin.properties are:

Name

Default

Description

Name

Default

Description

idp.mdquery.logging

MetadataQuery

Audit log identifier for flow

idp.mdquery.accessPolicy

AccessByIPAddress

Name of access control policy for request authorization

idp.mdquery.authenticated

false

Whether authentication should be performed prior to access control evaluation

idp.mdquery.nonBrowserSupported

false

Whether the flow should allow for non-browser clients during authentication

idp.mdquery.resolveAttributes

false

Whether attributes should be resolved prior to access control evaluation

To replace the internally defined flow descriptor bean, the following XML is required:

<util:list id="shibboleth.AvailableAdminFlows"> <bean parent="shibboleth.AdminFlow" c:id="http://shibboleth.net/ns/profiles/mdquery" p:loggingId="%{idp.mdquery.logging:MetadataQuery}" p:policyName="%{idp.mdquery.accessPolicy:AccessByIPAddress}" p:nonBrowserSupported="%{idp.mdquery.nonBrowserSupported:false}" p:authenticated="%{idp.mdquery.authenticated:false}" p:resolveAttributes="%{idp.mdquery.resolveAttributes:false}" /> </util:list>

No default version of the list is provided and it may simply be placed in conf/global.xml if needed.

Â