A Metadata Query Service can be queried for the metadata of individual entities (IdP/SP/Attribute Authority) in real-time. This approach is also called Per-Entity Metadata. The conventional approach is to offer federation metadata as huge xml files that have to be fetched, validated and processed by all participating systems. The per-entity approach consumes much less resources: All systems just process the metadata they need in a given moment, and cache them for a certain time. This procedure is based on the Metadata Query Protocol (see References).
A Metadata Query Service has to meet high requirements in terms of availability and resilience. DFN-AAI's pilot lets us gain experience and improve the service for production.
Please see the section on further hints and known issues below.
Important notice: The MDQ service does not deliver any local metadata! You still have to include them via a static metadata provider, type FileBackedHTTPMetadataProvider for Shibboleth IdPs, type XML for Shibboleth SPs.
URL for the production metadata (DFN-AAI, DFN-AAI-Basic) and eduGAIN:
http(s)://mdq.aai.dfn.de
URL for the metadata of the test federation (DFN-AAI-Test):
http(s)://mdq-test.aai.dfn.de
Certificate for the validation of the signature of DFN-AAI MDQ Metadata (PEM format)
SHA256 Fingerprint: 75:18:98:F6:E8:23:21:E8:B1:DC:71:6B:D0:AB:50:F0:C2:DB:9D:CE:4B:2B:A1:88:B1:42:DB:99:13:DB:0D:E9
https://www.aai.dfn.de/metadata/dfn-aai-mdq.pem
<MetadataProvider id="dfn_aai_mdq_prod" xsi:type="DynamicHTTPMetadataProvider" maxCacheDuration="PT1H" minCacheDuration="PT10M"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="/etc/ssl/aai/dfn-aai-mdq.pem"/> <MetadataQueryProtocol>http://mdq.aai.dfn.de</MetadataQueryProtocol> </MetadataProvider>
<MetadataProvider id="dfn_aai_mdq_test" xsi:type="DynamicHTTPMetadataProvider" maxCacheDuration="PT1H" minCacheDuration="PT10M"> <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true" certificateFile="/etc/ssl/aai/dfn-aai-mdq.pem"/> <MetadataQueryProtocol>http://mdq-test.aai.dfn.de</MetadataQueryProtocol> </MetadataProvider>
<MetadataProvider type="MDQ" id="dfn_aai_mdq_prod" ignoreTransport="true" cacheDirectory="mdq-aai-dfn-de" maxCacheDuration="3600" minCacheDuration="600" baseUrl="https://mdq.aai.dfn.de"> <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai-mdq.pem"/> </MetadataProvider>
We are happy to document further filter mechanisms on demand.
General:
If you have defined static metadata providers (e.g. FileBackedHTTPMetadataProvider) in addition to dynamic metadata query, the MDQ resp. DynamicHTTPMetadataProvider should be appended after the static ones. This prevents the IdP/SP from running metadata queries for entities that are available from the static metadata.
Shibboleth IdP:
Failed metadata queries are logged like this in the IdP: Document root was not an EntityDescriptor: org.opensaml.saml.saml2.metadata.impl.EntitiesDescriptorImpl
Shibboleth SP < 3.2.0:
After every restart the SP logs a misleading warning about the cache directory that cannot be created. It already exists. See https://issues.shibboleth.net/jira/browse/SSPCPP-916
Please let us know if you run into any other errors (hotline@aai.dfn.de).