Page tree
Skip to end of metadata
Go to start of metadata

The DynamicHTTPMetadataProvider fetches metadata from an HTTP server dynamically as needed. The request URL to fetch metadata is based on the entity's entityID and constructed using one of four available strategies selected using an appropriate child element.

Attributes

Any of the common attributes and dynamic attributes can be specified. In addition, the following attributes are available:

AttributeTypeDefaultDescription
httpClientRefBean reference

A reference to an externally defined Spring bean which specifies an org.apache.http.client.HttpClient object. This attribute conflicts with and overrides the other HttpClient-related properties: disregardSslCertificate, disregardTLSCertificate, requestTimeout, proxyHost, proxyPort, proxyUser, proxyPassword, httpCaching,httpCacheDirectory, httpMaxCacheEntries, httpMaxCacheEntrySize

httpClientSecurityParametersRef 3.3Bean reference
A reference to an externally defined Spring bean which specifies an org.opensaml.security.httpclient.HttpClientSecurityParameters instance, which consolidates all HTTP security parameters, including advanced TLS usage. This can be used instead of basicAuthuser,  basicAuthPassword,  tlsTrustEngineRef, and an inline <TLSTrustEngine>.
supportedContentTypesList of String (comma-separated)"application/samlmetadata+xml, application/xml, text/xml"

MIME types which are supported by this provider when requesting metadata from the HTTP server. The HTTP response Content-Type will also be validated against this list.
These values cannot be specified as properties (%{idp.mime.type})

disregardSslCertificateBooleanfalseThis is deprecated, use disregardTLSCertificate instead.
disregardTLSCertificateBooleanfalse

Server certificate will be ignored when using an HTTPS source.

connectionRequestTimeout 3.3Delay (ISO8601 format)PT5S (5 seconds)The maximum amount of time to wait for a connection to be returned from HttpClient's connection pool.
(incompatible with httpClientRef)
requestTimeout
Delay (ISO8601 format)PT5S (5 seconds)

DEPRECATED: Use connectionTimeout, see description there for semantics.
(incompatible with httpClientRef)

connectionTimeout 3.3Delay (ISO8601 format)PT5S (5 seconds)The maximum amount of time to wait to establish a connection with the remote server.
(incompatible with httpClientRef)
socketTimeout 3.3Delay (ISO8601 format)PT5S (5 seconds)The maximum amount of time to wait between two consecutive packets while reading from the socket connected to the remote server.
(incompatible with httpClientRef)
maxConnectionsTotal 3.3Integer100Max total simultaneous connections allowed by HttpClient's pooling connection manager.
maxConnectionsPerRoute 3.3Integer100Max simultaneous connections per route allowed by HttpClient's pooling connection manager.
proxyHostString

Hostname of the HTTP proxy through which connections will be made.

proxyPortString

Port of the HTTP proxy through which connections will be made.

proxyUserString

User name for the HTTP proxy through which connections will be made.

proxyPasswordString

Password for the HTTP proxy through which connections will be made.

basicAuthUserString

The user name to provide, during basic authentication, when connecting to the remote server. This is a convenience property for the case of a single basic auth user credential, and is mutually exclusive with setting a credentialsProviderRef.

basicAuthPasswordString

The password to provide, during basic authentication, when connecting to the remote server. This is a convenience property for the case of a single basic auth user credential, and is mutually exclusive with setting a credentialsProviderRef.

tlsTrustEngineRef 3.1Bean reference
Specifies the id of a TrustEngine defined elsewhere in the configuration. The Trust Engine may be specified either in custom or spring native bean syntax.
 
httpCachingnone", "file" or "memory"
(cannot be specified by a property)
memory

The type of HttpClient caching to perform. Defaults to 'memory'. This value cannot be specified as a property.
(incompatible with httpClientRef)

httpCacheDirectoryString

The path to the HttpClient cache directory. Only used if caching type is 'file'.
(incompatible with httpClientRef)

httpMaxCacheEntriesInteger

memory: 50

file: 100

The maximum number of responses to cache.
(incompatible with httpClientRef)

httpMaxCacheEntrySize             
Integer

memory: 1048576 (1MB)

file:  10485760 (10MB)

The maximum response body size which may be cached, in bytes.
(incompatible with httpClientRef)

Child Elements

Any of the common child elements may be specified. A <TLSTrustEngine>3.1 may also be specified . 

Finally, an element determining the lookup strategy to use may be included. Only one of the following strategies may be configured for any given instance of a metadata provider.

Metadata Query Protocol Strategy

If the <MetadataQueryProtocol> child element is used, the metadata request URL is constructed based on the requirements of the draft Metadata Query Protocol specification (see base protocol, SAML profile).

The content of this element will be used as the "Base URL" as defined in that specification.

Examples

MetadataQueryProtocol
 <MetadataProvider
    xmlns="urn:mace:shibboleth:2.0:metadata"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd"
    id="dynamicMDQ" xsi:type="DynamicHTTPMetadataProvider">
 
    <!-- Verify the signature on the root element (i.e., the EntityDescriptor element) -->
    <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
        certificateFile="%{idp.home}/credentials/mdq-example.crt" />
 
    <!--
      Require a validUntil XML attribute on the EntityDescriptor element
      and make sure its value is no more than 14 days into the future 
    -->
    <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D" />
 
    <!-- The MetadataQueryProtocol element specifies the base URL for the query protocol -->
    <MetadataQueryProtocol>http://mdq.example.org/global/</MetadataQueryProtocol>
 
</MetadataProvider>

Regex Strategy

If the <Regex> child element is used, the metadata request URL is constructed by means of a complex transform. The entityID value is first matched against the regular expression contained in the <Regex> element's match attribute. Then, the Regex element's content is treated as a replacement regular expression to run based on the results of the match.

Only numeric/positional group references (e.g., $1) are supported.

Template Strategy

If the <Template> child element is used, the metadata request URL is constructed by means of a simple transform on the template specified by this element. The entityID is substituted into the template parameter "${entityID}".

The element may include the following attributes:

AttributeDescription
encodedIf the element contains an encoded attribute set to "false", the value will be replaced directly, otherwise it will be URL-encoded.
velocityEngineThis attribute may be used to specify the name of the Velocity engine defined within the application.
transformRefReference to an optional transform function for the entity ID.

Well-known Location Strategy

If no child element indicating a strategy to use is included, the entityID value itself is used as the metadata request URL. This corresponds to the "well-known location" mechanism, as defined in the SAML 2.0 Metadata specification, section 4.1.

Examples

WellKnownLocation
<MetadataProvider
    xmlns="urn:mace:shibboleth:2.0:metadata"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd"
    id="dynamicWellKnown" xsi:type="DynamicHTTPMetadataProvider">
 
    <!--
      Use the well-known location strategy to get SP metadata. The
      entityID is not configured here; it is determined from the
      AuthnRequest's Issuer element, as sent by the requester.
      
      In this case, the entityID MUST be in the form of a URL (rather 
      than a URN). It is STRONGLY RECOMMENDED that https URLs be used 
      to protect against man-in-the-middle attacks.
    -->
 
</MetadataProvider>
  • No labels