Page tree
Skip to end of metadata
Go to start of metadata

This interface provides a mechanism to query the IdP's Metadata resolver(s).  This can be used as a debugging aid ("Is the IdP really seeing the metadata I think it is?") and also as a way of forcing specific entities into cache (which might be relevant for entities loaded via DynamicHTTPMetadataProvider or LocalDynamicMetadataProvider).

The underlying web interface, which is managed as an AdministrativeConfiguration, looks like this:

http[s]://localhost/idp/profile/admin/mdquery?entityID=https%3A%2F%2Fsp.example.org%2Fsp

The same thing on the command line would be:

$ /opt/shibboleth-idp/bin/mdquery.sh -e https://sp.example.org/sp

The parameters supported and their corresponding command line options are:

Query String

Command Line

Cardinality

Description

entityID
--entityID, -e
RequiredEntityID to find metadata for
protocol
--protocol


Only 1 may be present

Protocol to find metadata role for
saml1
--saml1
Queries for SAML 1.1 role
saml2
--saml2
Queries for SAML 2.0 role
cas
--cas
Queries for CAS role

The tool essentially reproduces the results that would ordinarily be produced during metadata lookup in any of the "protocol" request flows.

Reference

V4.0 and upgraded systems include a bean defined in conf/admin/general-admin.xml to control aspects of the flow's behavior.

V4.1 includes properties to control various aspects of the flow's behavior using an internally-defined bean that may be overridden if required.

The general properties configuring this flow via admin/admin.properties are:

Property Default Description
idp.mdquery.logging MetadataQuery Audit log identifier for flow
idp.mdquery.accessPolicy AccessByIPAddress Name of access control policy for request authorization
idp.mdquery.authenticated false Whether authentication should be performed prior to access control evaluation
idp.mdquery.nonBrowserSupported false Whether the flow should allow for non-browser clients during authentication
idp.mdquery.resolveAttributes false Whether attributes should be resolved prior to access control evaluation

To replace the internally defined flow descriptor bean, the following XML is required:

<util:list id="shibboleth.AvailableAdminFlows">

    <bean parent="shibboleth.AdminFlow"
        c:id="http://shibboleth.net/ns/profiles/mdquery"
        p:loggingId="%{idp.mdquery.logging:MetadataQuery}"
        p:policyName="%{idp.mdquery.accessPolicy:AccessByIPAddress}"
        p:nonBrowserSupported="%{idp.mdquery.nonBrowserSupported:false}"
        p:authenticated="%{idp.mdquery.authenticated:false}"
        p:resolveAttributes="%{idp.mdquery.resolveAttributes:false}" />

</util:list>
In older versions and upgraded systems, this list is defined in conf/admin/general-admin.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.

  • No labels