In many cases, the MDQ plugin may be easier to configure.
type="Dynamic", this MetadataProvider loads metadata on-demand from an HTTP server. The precise URL accessed is derived from the entityID of the peer and may be literal (i.e., that entityID) or more commonly constructed based on a simple substitution or transform involving the entityID. It is optimized to be reliable and efficient by caching in-memory and on-disk and by preventing unnecessary re-processing via HTTP caching support.
type="Dynamic" attribute must be present.
Specifies the exact type of metadata plugin to use
|string||A label for the metadata source, used in logging and status reporting|
|boolean||false||Whether the XML should be schema validated before it is parsed. Note that some sources of metadata (e.g., ADFS) may contain a large number of extensions. The SP now includes a number of additional schemas to make validation of such extensions possible, but there are always exceptions.|
|time in seconds||1800 (30 mins)|
Time in seconds between execution of background thread to scan for expired cached metadata and remove it from memory. You can set this to 0 to disable any cleanup, but this will potentially cause memory usage to grow.
|time in seconds|
1800 (30 mins)
|Extra time to leave recently-unused entries in the cache before the background cleanup process will remove them|
|time in seconds||28800 (8 hours)||Upper bound on time before attempt to reload metadata for an entity|
|time in seconds||600 (10 mins)||Lower bound on time before attempt to reload metadata for an entity|
|decimal||0.75||Factor applied to the metadata's own validity or caching period to determine the reload interval to use. Once applied, the result is bounded by the |
Controls whether lookup failures are cached (for the
Defaults to "true" for remote dynamic metadata providers (
Defines a directory in which downloaded metadata will be cached. During startup the directory is also scanned and the metadata loaded to prime the in-memory cache. This directory should be unique for every metadata provider configured.
A relative path will be applied relative to the /var/cache/shibboleth root, and the directory will be created if it does not exist.
|boolean||true||Flag indicating whether the plugin should initialize itself from the cache in the background to improve startup time. It has no effect if |
|boolean||true||If true, attempts to resolve metadata using a TLS-enabled URL will verify the hostname in the server's certificate against the expected hostname (but this is the extent of the validation performed unless other configuration is in place)|
|boolean||false||If true, authentication of the transport layer will be ignored when resolving metadata. If false, a |
|string||"application/samlmetadata+xml"||Overrides the standard Accept header used to request the SAML metadata content type|
|any||Metadata filter plugins to run|
|0 or 1||Not generally used, it provides an extension point to override the low-level handling of |
|0 or 1|
A TrustEngine plugin to apply to a server's certificate when resolving metadata using a TLS-enabled URL.
This trust engine obviously cannot require the use of metadata to operate. If not supplied, the
Additionally, exactly one of the following child elements must be present:
Simple transform whose element content consists of a string containing the substring "$entityID", into which the entityID value is substituted.
If this element contains a
If the element contains an
Complex transform containing a