Local Metadata

Local Metadata?

Each home institution can have a specific metadata file generated and signed by us. With such a file you connect in-house SPs to your IdP without adding those SPs to the whole federation.

Once a university or a research institution has an Identity Provider up and running, it makes sense to protect as many in-house services as possible with an SP software for a unified login experience. Here is a few examples for possible applications:

monitoring
local certification authority for students
in-house library applications
in-house data center applications
in-house adminstrative application
protected web servers of the institution

These services shall in general not be accessible for members of other home institutions. That is why you do not let them join DFN-AAI or DFN-AAI-Basic. The Metadata Administration Tool offers a different solution: You can activate the automatic generation of a so-called local metadata file that will only contain your IdP and your in-house SPs. It is thus specific to your institution. All local metadata files are generated hourly: They can be fetched from static URLs to make sure that the IdP and all local SPs always have up-to-date and valid metadata. The big advantage: Metadata can be maintained in a single place. Changes will then propagate to all participating systems (that fetch the local metadata regularly) automatically. If you maintain your in-house SPs als local SPs you will be informed about expiring certificates by us as if those systems were taking part in DFN-AAI.

Local Metadata in the Administration Tool

We start to generate a local metadata file for your organization when you add your first SP to local metadata. You can find the download URL in the metadata administration tool, in the overview of your organization, in the local metadata section.

You can optionally limit access to the download URL to certain IP address ranges.

Configuration

Shibboleth IdP

Add an additional <MetadataProvider> element to ./conf/metadata-providers.xml.

Replace the institution number!

Please replace the number “999” from this example with your institution number from the link above.

/opt/shibboleth-idp/conf/metadata-providers.xml

<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider" ...>
 
    <!-- ... -->
 
    <MetadataProvider id="DFN_AAI"
            xsi:type="FileBackedHTTPMetadataProvider"
            backingFile="%{idp.home}/metadata/dfn-aai-sp-metadata.xml"
            metadataURL="http://www.aai.dfn.de/metadata/dfn-aai-sp-metadata.xml"
            maxRefreshDelay="PT2H">
            <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
                    certificateFile="/etc/ssl/aai/dfn-aai.pem"/>
    </MetadataProvider>
 
    <MetadataProvider id="DFN_AAI_Local"
            xsi:type="FileBackedHTTPMetadataProvider"
            backingFile="%{idp.home}/metadata/dfn-aai-local-999-metadata.xml"
            metadataURL="http://www.aai.dfn.de/metadata/dfn-aai-local-999-metadata.xml"
            maxRefreshDelay="PT2H">
            <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
                    certificateFile="/etc/ssl/aai/dfn-aai.pem"/>
            <MetadataFilter xsi:type="EntityRoleWhiteList">
                    <RetainedRole>md:SPSSODescriptor</RetainedRole>
            </MetadataFilter>
    </MetadataProvider>
 
</MetadataProvider>

Shibboleth SP

Add an additional metadata provider in /etc/shibboleth/shibboleth2.xml:

/etc/shibboleth/shibboleth2.xml

    ...
   <MetadataProvider type="XML" url="http://www.aai.dfn.de/metadata/dfn-aai-local-999-metadata.xml"
         validate="true" backingFilePath="dfn-aai-local-999-metadata.xml" reloadInterval="3600">
       <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem"/>
   </MetadataProvider>
    ...

local-metadata, metadata