Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

This command line configuration example:

  • reads the UK federation metadata aggregate from its distribution site
  • verifies the aggregate's signature using the X.509 certificate taken from path/to/ukfederation-2014.pem
  • removes three specific entities belonging to the Shibboleth project
  • removes all entity role descriptors other than IDPSSODescriptor, SPSSODescriptor or AttributeAuthorityDescriptor 
  • removes any person or organization contact information
  • writes the results into the file path/to/output.xml

You can execute the example as follows:

$ .../mda.sh config.xml main

The example configuration file is as follows; it has been verified with MDA version 0.9.1:

<?xml version="1.0" encoding="UTF-8"?>
<beans default-init-method="initialize"
       xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
    <bean id="httpClientBuilder" class="net.shibboleth.utilities.java.support.httpclient.HttpClientBuilder"/>
    <bean id="httpClient" factory-bean="httpClientBuilder" factory-method="buildClient"/>
 
    <!-- First, we define the stages for our pipeline -->
    <bean id="source" class="net.shibboleth.metadata.dom.DOMResourceSourceStage">
        <property name="id" value="source"/>
        <property name="parserPool">
            <bean class="net.shibboleth.utilities.java.support.xml.BasicParserPool" init-method="initialize"/>
        </property>
        <property name="DOMResource">
            <bean class="net.shibboleth.ext.spring.resource.HTTPResource">
                <constructor-arg ref="httpClient"/>
                <constructor-arg
                    value="http://metadata.ukfederation.org.uk/ukfederation-metadata.xml"/>
            </bean>
        </property>
    </bean>
 
    <bean id="validateSignature" class="net.shibboleth.metadata.dom.XMLSignatureValidationStage">
        <property name="id" value="validateSignature"/>
        <property name="verificationCertificate">
            <bean class="net.shibboleth.ext.spring.factory.X509CertificateFactoryBean">
                <property name="resource">
                    <bean class="org.springframework.core.io.FileSystemResource">
                        <constructor-arg>
                            <bean class="java.io.File">
                                <constructor-arg value="path/to/ukfederation-2014.pem"/>
                            </bean>
                        </constructor-arg>
                    </bean>
                </property>
            </bean>
        </property>
    </bean>
 
    <bean id="removeEntities" class="net.shibboleth.metadata.dom.saml.EntityFilterStage">
        <property name="id" value="removeEntities"/>
        <property name="designatedEntities">
            <list>
                <value>https://idp.shibboleth.net/idp/shibboleth</value>
                <value>https://issues.shibboleth.net/shibboleth</value>
                <value>https://wiki.shibboleth.net/shibboleth</value>
            </list>
        </property>
    </bean>

    <bean id="removeRoles" class="net.shibboleth.metadata.dom.saml.EntityRoleFilterStage">
        <property name="id" value="removeRoles"/>
        <property name="whitelistingRoles" value="true"/>
        <property name="designatedRoles">
            <list>
                <bean class="javax.xml.namespace.QName">
                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
                    <constructor-arg value="IDPSSODescriptor"/>
                </bean>
                <bean class="javax.xml.namespace.QName">
                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
                    <constructor-arg value="AttributeAuthorityDescriptor"/>
                </bean>
                <bean class="javax.xml.namespace.QName">
                    <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata"/>
                    <constructor-arg value="SPSSODescriptor"/>
                </bean>
            </list>
        </property>
    </bean>

    <bean id="removeInvalidContactPerson" class="net.shibboleth.metadata.dom.saml.ContactPersonFilterStage">
        <property name="id" value="removeInvalidContactPerson"/>
        <property name="whitelistingTypes" value="false"/>
    </bean>

    <bean id="removeOrganization" class="net.shibboleth.metadata.dom.saml.RemoveOrganizationStage">
        <property name="id" value="removeOrganization"/>
    </bean>

    <bean id="serialize" class="net.shibboleth.metadata.pipeline.SerializationStage">
        <property name="id" value="serializeIdPs"/>
        <property name="outputFile">
            <bean class="java.io.File">
                <constructor-arg value="path/to/output.xml"/>
            </bean>
        </property>
        <property name="serializer">
            <bean id="domSerializer" class="net.shibboleth.metadata.dom.DOMElementSerializer"/>
        </property>
    </bean>

    <!-- Next we define a pipeline with all the stages in it -->
    <bean id="main" class="net.shibboleth.metadata.pipeline.SimplePipeline">
        <property name="id" value="main"/>
        <property name="stages">
            <list>
                <ref bean="source"/>
                <ref bean="validateSignature"/>
                <ref bean="removeEntities"/>
                <ref bean="removeRoles"/>
                <ref bean="removeInvalidContactPerson"/>
                <ref bean="removeOrganization"/>
                <ref bean="serialize"/>
            </list>
        </property>
    </bean>
</beans>
  • No labels