Manage or Disable IdP Metadata Publishing Endpoint
By default the IdP exposes an HTTP endpoint relative to the deployed servlet context (usually /idp
) at /shibboleth
which returns the IdP's own metadata. This endpoint path would mirror that implied by the default IdP entityID, for example https://idp.example.org/idp/shibboleth
, thereby implementing the Well-Known Location metadata resolution mechanism discussed in the SAML Metadata specification (section 4.1).
That endpoint returns the metadata by simply reading the XML file pointed to by IdP property idp.entityID.metadataFile
, the value of which defaults to %{idp.home}/metadata/idp-metadata.xml
.
Note that by default this metadata is not signed, nor does it dynamically reflect the actual IdP's configuration (for example signing and encryption keys). The file is simply built statically from a template at install time. As such, it is intended as informational only, and is not suitable for direct consumption as-is by an SP wishing to interoperate with the IdP.
To expose a different metadata file's contents at that endpoint, set that property to a different file path value in conf/idp.properties
, for example:
idp.entityID.metadataFile=/var/shibboleth/metadata/idp-metadata.xml
To effectively disable metadata publishing at the endpoint entirely by returning an HTTP 404 response, set the value to an empty string:
idp.entityID.metadataFile=