[Shib-Users] IDP Metadata URL
4,272 views
Skip to first unread message
Isaac Davis-King
Nov 18, 2008, 6:42:18 PM11/18/08
to shibbole...@internet2.edu
The shibboleth2.xml file has the MetadataGenerator handler that publishes the service provider metadata to a url. Is there a similar mechanism for the identity provider, or does the idp metadata need to be published manually? Would there be anything wrong with directly exposing the idp metadata using an Apache Alias statement (Alias /idp/Metadata
/usr/local/idp/metadata/idp-metadata.xml)?
Thanks,
- Isaac
Nate Klingenstein
Nov 18, 2008, 7:17:04 PM11/18/08
to shibbole...@internet2.edu
Isaac,
It needs to be published manually at present. The IdP only generates metadata during installation, whereas the SP generates it dynamically by checking its own configuration. I don't think there'd be anything wrong with setting up the alias you describe, so long as you're aware that as you make configuration changes, you'll need to manually change the metadata to match.
Take care,
Nate.
Scott Cantor
Nov 18, 2008, 9:26:05 PM11/18/08
to shibbole...@internet2.edu
Nate Klingenstein wrote:
> It needs to be published manually at present. The IdP only generates
> metadata during installation, whereas the SP generates it dynamically by
> checking its own configuration. I don't think there'd be anything wrong
> with setting up the alias you describe, so long as you're aware that as
> you make configuration changes, you'll need to manually change the
> metadata to match.
> It needs to be published manually at present. The IdP only generates
> metadata during installation, whereas the SP generates it dynamically by
> checking its own configuration. I don't think there'd be anything wrong
> with setting up the alias you describe, so long as you're aware that as
> you make configuration changes, you'll need to manually change the
> metadata to match.
I think 2.1 includes the beginnings of something in the IdP, though I
believe for the moment it just returns the metadata that you load into the
IdP about the IdP. In effect the same as setting up an alias, but it's built-in.
-- Scott
Nate Klingenstein
Nov 18, 2008, 9:35:48 PM11/18/08
to shibbole...@internet2.edu
Yep, you're right. I missed that change. Cool. :D For sake of reference, here's the relevant configuration snippet in handler.xml:
<ProfileHandler xsi:type="SAMLMetadata" metadataFile="/opt/shibboleth-idp/metadata/idp-metadata.xml">
<RequestPath>/Metadata/SAML</RequestPath>
</ProfileHandler>
which would make the path e.g. http://your.identity.org/idp/profile/Metadata/SAML. So, if you'd like to use that feature in the future and you're not going to upgrade to 2.1 right now, you might select a similar path so that it doesn't change in the future.
Reply all
Reply to author
Forward
0 new messages