The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.
RemoteMetadataAggregateExample
Owned by trscavo@ncsa.illinois.edu
Load a metadata aggregate from a remote server Expand source
<!--
Load (and reload) a signed metadata aggregate from a remote HTTP server.
This sample configuration assumes: (1) the top-level element of the XML
document is signed; (2) the top-level element of the XML document is
decorated with a validUntil attribute; (3) the validity interval is two
weeks (P14D) in duration; and (4) the server supports HTTP conditional GET.
The metadata refresh process is influenced by the configured values of
the minRefreshDelay attribute (default: PT30S) and the maxRefreshDelay
attribute (default: PT4H) and also by any cacheDuration and validUntil
attributes in the metadata itself. If the server does not support HTTP
conditional GET, the attributes should be adjusted accordingly.
-->
<MetadataProvider id="RemoteMetadataAggregate" xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/federation-metadata-copy.xml"
metadataURL="http://example.org/metadata/federation-metadata.xml">
<!--
Verify the signature on the root element of the metadata aggregate
using a trusted metadata signing certificate.
-->
<MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
certificateFile="%{idp.home}/conf/metadata/md-cert.pem"/>
<!--
Require a validUntil XML attribute on the root element and
make sure its value is no more than 14 days into the future.
-->
<MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P14D"/>
<!-- Consume all SP metadata in the aggregate -->
<MetadataFilter xsi:type="EntityRoleWhiteList">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>