Metadata Generation Handler

Owned by Rod Widdowson
Last updated: Dec 06, 2021
2 min read

Identified by type="MetadataGenerator", this handler generates sample metadata based on the SP configuration and a set of built-in assumptions. Can be supplemented through the use of a template, and supports signing.

Support for signing may leave your system vulnerable to trivial DOS attacks. If this is a concern, consider protecting the generation handler with some kind of authentication or firewall.

The purpose of this handler is NOT to supply other systems with production metadata but rather to assist with testing, and generation of metadata examples useful in understanding how to produce actual metadata. Mature deployments will often require metadata content that goes beyond what the handler can generate, and directly coupling metadata to a configuration makes certain configuration changes more likely to cause service disruptions

Attributes

Common Attributes

Specific Attributes

Name

Type

Default

Description

Name

Type

Default

Description

acl

space-delimited list of IP addresses (V4/V6) or CIDR statement

Open Access

A set of requesting addresses to limit access to.

template

local pathname



Optional XML file containing an <md:EntityDescriptor> to use as a template for the generated metadata. Any content supplied will generally be maintained and supplemented by the generation process.

cacheDuration

seconds



Optional value to use in calculating the cacheDuration attribute to embed in the generated metadata. While optional, this value SHOULD be used in any experimentation with this handler in real-time generation of metadata.

signing

boolean

false

If true, metadata will be signed using the default credential (or the named credential if keyname is used as well).

keyName

string



Optional, used as input when selecting a credential to use for metadata signing.

signingAlg

URI

coding for RSA with SHA1

The XML Signature signing algorithm to use for metadata signing.

digestAlg

URI

coding for SHA1

The XML Signature digest algorithm to use for metadata signing.

mimeType

MIME content type

application/samlmetadata+xml

Optional override of MIME type of content returned by handler.

http

boolean



Forces or disables the generation of protocol endpoints using the http scheme, regardless of which scheme is used when accessing the handler.

https

boolean



Forces or disables the generation of protocol endpoints using the http scheme, regardless of which scheme is used when accessing the handler.

validUntil

seconds



Optional value to use in calculating the validUntil attribute to embed in the generated metadata. The value is added to the current time. Note that prior to version 2.2, the cacheDuration setting was improperly being used for this purpose.

salt





Optional salt to include in a hash with the entityID to produce the ID attribute placed into the metadata. Can be used to control the ID value in concert with configuration changes to signal to metadata consumers that the metadata has or hasn't been altered.

Child Elements

Name

Cardinality

Description

Name

Cardinality

Description

<EndpointBase>

0 or more

If provided, must contain a "base" handler URL to generate endpoints against. When used, these base locations override the default behavior, which generates endpoints based only on the handler URL configured for the request to the generator, which usually means only a single virtual host can be represented in the metadata.

A variety of metadata elements can be embedded directly within the handler configuration for inclusion in the generated metadata.  These include

Name

Cardinality

Description

Name

Cardinality

Description

<md:NameIDFormat>

0 or more

 

<md:ContactPerson>

0 or more

 

<md:RequestedAttribute> 

0 or more

 

<md:AttributeConsumingService>

0 or more

 

<md:Organization>

0 or 1

 

<mdui:UIInfo> 

0 or 1

 

<mdattr:EntityAttributes>

0 or 1

 

Query String Parameter

Parameters are supplied using a standard query string appended to the request. They must be URL-encoded as usual

Name

Type

Description

Name

Type

Description

entityID

URI

Identifies the requesting IdP, for the purposes of establishing settings that would influence the contents of the metadata, such as message signing flags and the credentials used. If omitted, the default settings are used.