MetadatagenV1
- Rod Widdowson
- Scott Cantor
- Chris Phillips
Overview
The MetadataGen plugin provides a command line to generate metadata based on a very shallow introspection of the IdP configuration properties.
Metadata generation can never be an automatic process. Metadata is a description of how you want your IdP to be viewed by others. This is significantly more than anything which can be created automatically. Nonetheless, much of the metadata is formulaic since things such as endpoints are usually standardized. The metadatagen command provides assistance in generating much of the standardized boilerplate.
The metadatagen command provides an basis for generator the metadata for your IdP. It does extremely limited introspection into the configuration and outputs metadata for the standard end points. This saves time and reduces the risk of cut and paste errors being introduced into your metadata.
This tools does not output "ready to use" metadata and is a preliminary, NOT an alternative, to editing your metadata prior to publishing it.
Plugin Installation
Starting with IdP 4.2 you can the install the latest plugin version supported on your IdP version with.\plugin.sh -I net.shibboleth.idp.plugin.metadatagen
Plugin | Plugin ID | Module(s) | Latest Version | Bug Reporting |
|---|---|---|---|---|
Metadatagen | net.shibboleth.idp.plugin.metadatagen | idp.metadatagen | 1.0.0: download |
Configuration
The generated metadata is based on an idea of the IdP's configuration sourced from two locations: configuration property files and the command line. Importantly, this tool does not consider anything about the relying party configuration.
The property files provide the following information:
The entityID (from
idp.entityID)The scope (from
idp.scope)The encryption certificate (from
idp.encryption.cert)The signing certificate used for attribute push (from
idp.signing.cert)
The command line is usually used to provide information to do with the web container (i.e. Jetty or Tomcat) configuration:
--DNSNamespecifies the DNS name (with a default of idp.example.org)If present,
--backChannel <file>provides the signing certificate use for back channel tasks.
An additional property file can be used to specify the DNS name an backchannel path, additionally properties can be used to drive MDUI generation. This is described further below.
Command line options
With no command line options the tool prints to the screen the Metadata for a SAML2 IdP configured for attribute push only. Further options control adding or removing parts of the metadata
Qualifier | Function |
|---|---|
--DNSName name | Supplies the DNS name used within the URLs specifying the end points |
--output <file>, -o <file> | Outputs the metadata to a file |
--backChannel <file> | Specifies the path to the certificate protecting the back channel. |
+SAML1, +1 | Include metadata for a SAML1 IdP. SAML1 attribute fetch endpoints will be included, regardless of whether |
-SAML2, -2 | Supress the metadata for a SAML2 IdP |
+SAMLSP, +SP | Include metadata for a SAML2 SP (for use in proxying) |
+logout | Include SAML2 logout endpoints. |
+artifact | Include the artifact resolution endpoints (requires |
+attributeFetch | Include the SAML2 attribute fetch endpoints (requires |
--propertyFiles <file>,<file>... | Additional property files. |
The full set of options can be viewed with the --help option.
Advanced use and Property-driven installation
The parts of the metadata drawn from the IdP configuration are derived from the IdP configuration property files. Additional properties can be provided (via the --propertyFiles qualifier) to describe more about the IdP
Remember that if idp.searchForProperties is set to true all property files under idp/conf will be loaded.
Property | Description |
|---|---|
idp.metadata.dnsname | Supplies the DNS name used within the URLs specifying the end points. |
idp.metadata.backchannel.cert | Specifies the path to the certificate protecting the back channel. |
idp.metadata.idpsso.mdui.logo.path | Specifies the path part of the URL which describes a logo for the IdP. The <mdui:Logo> is always emitted. If this is absent then then a fixed path ('/path/to/logo') is used. |
idp.metadata.idpsso.mdui.logo.height | The height (in pixels) of the logo. Defaults to 80. |
idp.metadata.idpsso.mdui.logo.width | The width (in pixels) of the logo. Defaults to 80. |
idp.metadata.idpsso.mdui.langs | A (space separated) list of languages used to lookup values formed appending each one to the name and description properties described below. If this is absent then an <mdui:DisplayName/> and <mdui:Description> for the "en" language is emitted which you need to edit. |
idp.metadata.idpsso.mdui.displayname.<lang> | Display name for the IdP in the specified language. If this is absent for a language specified above then not <mdui:DisplayName> is emitted for that language |
idp.metadata.idpsso.mdui.description.<lang> | Description for the IdP in the specified language. If this is absent for a language specified above then not <mdui:Description> is emitted for that language |
Examples
Example Command Line
metadatagen +saml1 +sp --backChannel /opt/idp/credentials/idp-backchannel.crt --output myMetadata.xml
Example Property File
idp.metadata.dnsname=ushib.example.org
idp.metadata.backchannel.cert=/opt/idp/credentials/idp-backchannel.crt
idp.metadata.idpsso.mdui.langs=en fr de
idp.metadata.idpsso.mdui.displayname.fr=Université de Shibboleth
idp.metadata.idpsso.mdui.displayname.en=Shibboleth University
idp.metadata.idpsso.mdui.displayname.de=Universität Shibboleth
idp.metadata.idpsso.mdui.description.fr=UShib
idp.metadata.idpsso.mdui.description.de=UShib
idp.metadata.idpsso.mdui.description.en=UShib
idp.metadata.idpsso.mdui.logo.height=84
idp.metadata.idpsso.mdui.logo.width=75
idp.metadata.idpsso.mdui.logo.path=/the/to/path/logo.png