The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.
ResourceBackedMetadataProvider
The ResourceBackedMetadataProvider loads metadata from a resource - a complex source that cannot be located from a file or an HTTP URL. The provider can be configured to periodically check and reload the metadata if needed.
The only supported use of this provider is with spring define bean which is a Spring Resource (or more rarely a Shibboleth Resource) via the resourceRef attribute.
Contents
Schema Names and location
The <MetadataProvider> element and the type ResourceBackedMetadataProvider are defined by the urn:mace:shibboleth:2.0:metadata schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.
Attributes
Any of the Common Attributes or the Reloading Attributes may be configured.
In addition the resourceRef property is used to specify the source of the data.
Common Attributes
The following attributes are required on all metadata provider types:
| Name | Type | Default | Description |
|---|---|---|---|
id | String | required | Identifier for logging, identification for command line reload, etc. |
xsi:type | String | required | Specifies the exact type of provider to use (from those listed above, or a custom extension type). |
The following attributes are common to all metadata provider types except the ChainingMetadataProvider type:
| Name | Type | Default | Description |
|---|---|---|---|
| Boolean | true | Whether candidate metadata found by the resolver must be valid in order to be returned (where validity is implementation specific, but in SAML cases generally depends on a |
| Boolean | true | Whether to fail initialization of the underlying MetadataResolverService (and possibly the IdP as a whole) if the initialization of a metadata provider fails. When false, the IdP may start, and will continue to attempt to reload valid metadata if configured to do so, but operations that require valid metadata will fail until it does. |
sortKey | Integer | Defines the order in which metadata providers are searched (see below), can only be specified on top level <MetadataProvider> elements. | |
| The following are advanced settings supporting a new low-level feature allowing metadata lookup by keys other than the unique entityID and are rarely of use to a deployer. | |||
criterionPredicateRegistryRef 3.3 | Bean ID | Identifies the a custom CriterionPredicateRegistry bean used in resolving predicates from non-predicate input criteria. | |
useDefaultPredicateRegistry 3.3 | Boolean | true | Flag which determines whether the default CriterionPredicateRegistry will be used if a custom one is not supplied explicitly. |
satisfyAnyPredicates 3.3 | Boolean | false | Flag which determines whether predicates used in filtering are connected by a logical 'OR' (true) or by logical 'AND' (false). |
Reloading Attributes
The following attributes are common to all reloading "batch-oriented" metadata providers (i.e., FileBackedHTTPMetadataProvider, FilesystemMetadataProvider, and ResourceBackedMetadataProvider):
| Name | Type | Default | Description |
|---|---|---|---|
parserPoolRef | Bean ID | shibboleth.ParserPool | Identifies a Spring bean for the XML parser used to parse metadata. Generally should not be changed. |
taskTimerRef | Bean ID | Identifies a Spring bean containing a Java TaskTimer used to schedule reloads. When not set, an internal timer is created. Generally should not be changed. | |
minRefreshDelay | Duration | PT30S | Lower bound on the next refresh from the time calculated based on the metadata's expiration. |
maxRefreshDelay | Duration | PT4H | Upper bound on the next refresh from the time calculated based on the metadata's expiration. |
refreshDelayFactor | Real Number (strictly between 0.0 and 1.0) | 0.75 | A factor applied to the initially determined refresh time in order to determine the next refresh time (typically to ensure refresh takes place prior to the metadata's expiration). Attempts to refresh metadata will generally begin around the product of this number and the maximum refresh delay. |
indexesRef 3.3 | Bean ID | Identifies an optional | |
resolveViaPredicatesOnly 3.3 | Boolean | false | Flag indicating whether resolution may be performed solely by applying predicates to the entire metadata collection, when an entityID input criterion is not supplied. |
expirationWarningThreshold 3.4 | Duration | PT0S (disabled) | For each attempted metadata refresh (whether or not fresh metadata is obtained), if requireValidMetadata is true, and there is a validUntil XML attribute on the document root element, and the difference between validUntil and the current time is less than expirationWarningThreshold, the system logs a warning about the impending expiration. |
Child Elements
Any of the following child elements may be specified (in order).
| Name | Cardinality | Description |
|---|---|---|
<MetadataFilter> | 0 or more | A metadata filter applied to candidate metadata as it flows through the metadata pipeline |
<MetadataResource> | 0 or 1 | Deprecated If present, it specifies the metadata resource type |
The <MetadataFilter> child element is common to all metadata providers. The <MetadataResource> child element is exclusive to the ResourceBackedMetadataProvider type.
Examples
The following example loads metadata from the supplied bean
<MetadataProvider id="ClasspathResourceMetadata" xsi:type="ResourceBackedMetadataProvider" resourceRef="SpringResource"/>