Page tree
Skip to end of metadata
Go to start of metadata

In many cases, the MDQ plugin may be easier to configure.


Overview

Identified by type="Dynamic", this MetadataProvider loads metadata on-demand from an HTTP server. The precise URL accessed is derived from the entityID of the peer and may be literal (i.e., that entityID) or more commonly constructed based on a simple substitution or transform involving the entityID. It is optimized to be reliable and efficient by caching in-memory and on-disk and by preventing unnecessary re-processing via HTTP caching support.

Reference

Attributes

The type="Dynamic" attribute must be present.

The following attributes are supported for all MetadataProvider types:
NameTypeReq?DefaultDescription
type
stringY

Specifies the exact type of metadata plugin to use

id
string

A label for the metadata source, used in logging and status reporting
validate
boolean
falseWhether the XML should be schema validated before it is parsed. Note that some sources of metadata (e.g., ADFS) may contain a large number of extensions. The SP now includes a number of additional schemas to make validation of such extensions possible, but there are always exceptions.

The following attributes are supported only for the "dynamic" (on-demand) MetadataProvider types (MDQDynamicLocalDynamic):
NameTypeDefaultDescription
cleanupIntervaltime in seconds1800 (30 mins)

Time in seconds between execution of background thread to scan for expired cached metadata and remove it from memory. You can set this to 0 to disable any cleanup, but this will potentially cause memory usage to grow.

cleanupTimeouttime in seconds

1800 (30 mins)

Extra time to leave recently-unused entries in the cache before the background cleanup process will remove them
maxCacheDuration time in seconds28800 (8 hours)Upper bound on time before attempt to reload metadata for an entity
minCacheDurationtime in seconds600 (10 mins)Lower bound on time before attempt to reload metadata for an entity
refreshDelayFactordecimal0.75Factor applied to the metadata's own validity or caching period to determine the reload interval to use. Once applied, the result is bounded by the minCacheDuration and maxCacheDuration settings to determine the time of the next attempt. If reload attempts fail, the existing metadata (if any) will be reused until it actually expires
negativeCachebooleansee description

Controls whether lookup failures are cached (for the minCacheDuration). This can avoid repeatedly accessing a server which is failing or simply has no metadata.

Defaults to "true" for remote dynamic metadata providers (MDQ, Dynamic) and "false" for the LocalDynamicProvider

The following attributes are supported only for the remote dynamic MetadataProvider types (MDQDynamic):
NameTypeDefaultDescription
cacheDirectory
string
Defines a directory in which downloaded metadata will be cached. During startup the directory is also scanned and the metadata loaded to prime the in-memory cache. This directory should be unique for every metadata provider configured.
backgroundInitializebooleantrueFlag indicating whether the plugin should initialize itself from the cache in the background to improve startup time. It has no effect if cacheDirectory is unset.
verifyHostbooleantrueIf true, attempts to resolve metadata using a TLS-enabled URL will verify the hostname in the server's certificate against the expected hostname (but this is the extent of the validation performed unless other configuration is in place)
ignoreTransportbooleanfalseIf true, authentication of the transport layer will be ignored when resolving metadata. If false, a <TrustEngine> child element must be specified.

Child Elements

The following child elements are supported across all MetadataProvider types:

Name

Cardinality

Description

<MetadataFilter>anyMetadata filter plugins to run
<KeyInfoResolver>0 or 1Not generally used, it provides an extension point to override the low-level handling of <ds:KeyInfo> elements and would be necessary to add support for some kind of custom XML key representation

The following child elements are supported by the remote, on-demand MetadataProvider types (MDQDynamic):

Name

Cardinality

Description

<TrustEngine>0 or 1

A TrustEngine plugin to apply to a server's certificate when resolving metadata using a TLS-enabled URL.

This trust engine obviously cannot require the use of metadata to operate. If not supplied, the ignoreTransport attribute must be set to true to avoid a configuration error. This is done to prevent a misconfigured trust engine from resulting in insecure metadata resolution.

Additionally, exactly one of the following child elements must be present:

Name

Description

<Subst>

Simple transform whose element content consists of a string containing the substring "$entityID", into which the entityID value is substituted.

If this element contains a hashed attribute, the value must be the OpenSSL algorithm name of a digest algorithm (e.g. SHA1) to apply to the entityID.

If the element contains an encoded attribute set to "false", the value will be replaced directly, otherwise it will be URL-encoded first.

<Regex>

Complex transform containing a match attribute containing a regular expression against which the entityID value is applied, and whose element content contains a replacement expression to run based on the results of the match. Only numeric/positional group references (e.g. $1) are supported.

Example

Dynamic Metadata Source
<MetadataProvider type="Dynamic" id="mdq.example.org" ignoreTransport="true" cacheDirectory="mdq-example-org">
	<Subst hashed="SHA1">http://mdq.example.org/global/entities/$entityID</Subst>
	<MetadataFilter type="Signature" certificate="metadata-signing-key.pem"/>
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="8640000"/>
</MetadataProvider>


  • No labels