Metadata Generation Handler
Identified by type="MetadataGenerator"
, this handler generates sample metadata based on the SP configuration and a set of built-in assumptions. Can be supplemented through the use of a template, and supports signing.
Support for signing may leave your system vulnerable to trivial DOS attacks. If this is a concern, consider protecting the generation handler with some kind of authentication or firewall.
The purpose of this handler is NOT to supply other systems with production metadata but rather to assist with testing, and generation of metadata examples useful in understanding how to produce actual metadata. Mature deployments will often require metadata content that goes beyond what the handler can generate, and directly coupling metadata to a configuration makes certain configuration changes more likely to cause service disruptions
Attributes
Common Attributes
Specific Attributes
Name | Type | Default | Description |
---|---|---|---|
acl | space-delimited list of IP addresses (V4/V6) or CIDR statement | Open Access | A set of requesting addresses to limit access to. |
template | local pathname | Optional XML file containing an <md:EntityDescriptor> to use as a template for the generated metadata. Any content supplied will generally be maintained and supplemented by the generation process. | |
cacheDuration | seconds | Optional value to use in calculating the cacheDuration attribute to embed in the generated metadata. While optional, this value SHOULD be used in any experimentation with this handler in real-time generation of metadata. | |
signing | boolean | false | If true, metadata will be signed using the default credential (or the named credential if keyname is used as well). |
keyName | string | Optional, used as input when selecting a credential to use for metadata signing. | |
signingAlg | URI | coding for RSA with SHA1 | The XML Signature signing algorithm to use for metadata signing. |
digestAlg | URI | coding for SHA1 | The XML Signature digest algorithm to use for metadata signing. |
mimeType | MIME content type | application/samlmetadata+xml | Optional override of MIME type of content returned by handler. |
http | boolean | Forces or disables the generation of protocol endpoints using the http scheme, regardless of which scheme is used when accessing the handler. | |
https | boolean | Forces or disables the generation of protocol endpoints using the http scheme, regardless of which scheme is used when accessing the handler. | |
validUntil | seconds | Optional value to use in calculating the validUntil attribute to embed in the generated metadata. The value is added to the current time. Note that prior to version 2.2, the cacheDuration setting was improperly being used for this purpose. | |
salt | Optional salt to include in a hash with the entityID to produce the ID attribute placed into the metadata. Can be used to control the ID value in concert with configuration changes to signal to metadata consumers that the metadata has or hasn't been altered. |
Child Elements
Name | Cardinality | Description |
---|---|---|
<EndpointBase> | 0 or more | If provided, must contain a "base" handler URL to generate endpoints against. When used, these base locations override the default behavior, which generates endpoints based only on the handler URL configured for the request to the generator, which usually means only a single virtual host can be represented in the metadata. |
A variety of metadata elements can be embedded directly within the handler configuration for inclusion in the generated metadata. These include
Name | Cardinality | Description |
---|---|---|
<md:NameIDFormat> | 0 or more |
|
<md:ContactPerson> | 0 or more |
|
<md:RequestedAttribute> | 0 or more |
|
<md:AttributeConsumingService> | 0 or more |
|
<md:Organization> | 0 or 1 |
|
<mdui:UIInfo> | 0 or 1 |
|
<mdattr:EntityAttributes> | 0 or 1 |
|
Query String Parameter
Parameters are supplied using a standard query string appended to the request. They must be URL-encoded as usual
Name | Type | Description |
---|---|---|
entityID | URI | Identifies the requesting IdP, for the purposes of establishing settings that would influence the contents of the metadata, such as message signing flags and the credentials used. If omitted, the default settings are used. |