Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
en:aai:mdq [2021/07/14 13:26] – partly translated Silke Meyer | en:aai:mdq [2021/07/14 13:57] – Silke Meyer |
---|
FIXME **This page is not fully translated, yet.** | |
| |
====== Metadata Query Service (MDQ) ====== | ====== Metadata Query Service (MDQ) ====== |
| |
| |
===== Explanation ===== | ===== Explanation ===== |
A **Metadata Query Service** can be queried for the metadata of individual entities (IdP/SP/Attribute Authority) in real-time. This approach is also called **Per-Entity Metadata**. The conventional approach is to offer federation metadata as huge xml files that have to be fetched, validated and processed by all participating systems. The per-entity approach consumes much less resources: All systems just process the metadata they need in given moment, and cache them for a certain time. This procedure is based on the **Metadata Query Protocol** (see [[#references|References]]). | A **Metadata Query Service** can be queried for the metadata of individual entities (IdP/SP/Attribute Authority) in real-time. This approach is also called **Per-Entity Metadata**. The conventional approach is to offer federation metadata as huge xml files that have to be fetched, validated and processed by all participating systems. The per-entity approach consumes much less resources: All systems just process the metadata they need in a given moment, and cache them for a certain time. This procedure is based on the **Metadata Query Protocol** (see [[#references|References]]). |
| |
A Metadata Query Service has to meet high requirements in terms of availability and resilience. DFN-AAI's pilot lets us gain experience and improve the service for production. | A Metadata Query Service has to meet high requirements in terms of availability and resilience. DFN-AAI's pilot lets us gain experience and improve the service for production. |
| |
Please note | Please see the section on [[en:aai:mdq#further_hints_and_known_issues|further hints and known issues]] below. |
| |
Beachten Sie bitte auch die [[de:aai:mdq#weitere_hinweise_und_bekannte_probleme|weiteren Hinweise]] unten. | |
| |
**Important notice:** The MDQ service does not deliver **any** [[de:metadata_local|local metadata]]! You still have to include them via a static metadata provider, type ''FileBackedHTTPMetadataProvider'' for Shibboleth IdPs, type ''XML'' for Shibboleth SPs. | **Important notice:** The MDQ service does not deliver **any** [[de:metadata_local|local metadata]]! You still have to include them via a static metadata provider, type ''FileBackedHTTPMetadataProvider'' for Shibboleth IdPs, type ''XML'' for Shibboleth SPs. |
</file> | </file> |
| |
=== Ausschließlich IdPs aus DFN-AAI Advanced === | === Filter IdPs from DFN-AAI Advanced === |
(Zur Unterscheidung zwischen "Advanced" und "Basic" siehe die Erläuterungen zu den [[de:degrees_of_reliance|Verlässlichkeitsklassen]]) | (see [[en:degrees_of_reliance|Degrees of Reliance]]) |
| |
**Wichtig:** damit der u.g. Filter funktioniert, muss im Root-Element ''SPConfig'' der Datei ''shibboleth2.xml'' der Namespace ''xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"'' gesetzt sein. | **Important:** In ''shibboleth2.xml'', in the root element ''SPConfig'' the namespace ''xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"'' has to be set for this filter to work. |
| |
<file xml /etc/shibboleth/shibboleth2.xml> | <file xml /etc/shibboleth/shibboleth2.xml> |
</file> | </file> |
| |
Weitere Filtermöglichkeiten werden gerne auf [[hotline@aai.dfn.de|Anfrage]] dokumentiert. | We are happy to document further filter mechanisms [[hotline@aai.dfn.de|on demand]]. |
| |
\\ | |
| |
===== Weitere Hinweise und bekannte Probleme ===== | ===== Further hints and known issues ===== |
**Allgemein:** \\ | **General:** \\ |
Sofern in der Metadata Provider Konfiguration weitere, 'statische' (z.B. ''FileBackedHTTPMetadataProvider'') ''MetadataProvider'' definiert sind, sollten ''MetadataProvider''-Elemente des Typs das ''MDQ'' bzw. ''DynamicHTTPMetadataProvider'' ganz am Ende eingefügt werden. Ansonsten führt der IdP/SP jedes Mal eine Metadata Query aus, auch wenn die betreffende Entity bereits über die statischen Metadaten verfügbar ist. | If you have defined static metadata providers (e.g. ''FileBackedHTTPMetadataProvider'') in addition to dynamic metadata query, the ''MDQ'' resp. ''DynamicHTTPMetadataProvider'' should be appended after the static ones. This prevents the IdP/SP from running metadata queries for entities that are available from the static metadata. |
| |
**Shibboleth IdP:** \\ | **Shibboleth IdP:** \\ |
Bei nicht erfolgreichen Metadata Queries erscheint eine Warnung im Log: ''Document root was not an EntityDescriptor: org.opensaml.saml.saml2.metadata.impl.EntitiesDescriptorImpl'' | Failed metadata queries are logged like this in the IdP: ''Document root was not an EntityDescriptor: org.opensaml.saml.saml2.metadata.impl.EntitiesDescriptorImpl'' |
| |
**Shibboleth SP < 3.2.0:** \\ | **Shibboleth SP < 3.2.0:** \\ |
Im SP-Log erscheint nach jedem Neustart die irreführende Warnung, dass das Caching-Verzeichnis nicht nicht angelegt werden kann. Es existiert bereits. Siehe https://issues.shibboleth.net/jira/browse/SSPCPP-916 | After every restart the SP logs a misleading warning about the cache directory that cannot be created. It already exists. See https://issues.shibboleth.net/jira/browse/SSPCPP-916 |
| |
**Sonstige Fehler** bitte an [[hotline@aai.dfn.de|hotline@aai.dfn.de]] melden. | Please let us know if you run into any **other errors** ([[hotline@aai.dfn.de|hotline@aai.dfn.de]]). |
| |
\\ | \\ |
| |
===== References ===== | ===== References ===== |
* [[https://datatracker.ietf.org/doc/draft-young-md-query/|Spezifikation Metadata Query Protocol]] | * [[https://datatracker.ietf.org/doc/draft-young-md-query/|Specification of the Metadata Query Protocol]] |
* Shibboleth Wiki | * Shibboleth Wiki |
* [[https://wiki.shibboleth.net/confluence/display/IDP4/MetadataManagementBestPractices#MetadataManagementBestPractices-DynamicHTTPMetadataProvider|Metadata Management Best Practices]] | * [[https://wiki.shibboleth.net/confluence/display/IDP4/MetadataManagementBestPractices#MetadataManagementBestPractices-DynamicHTTPMetadataProvider|Metadata Management Best Practices]] |
* [[https://wiki.shibboleth.net/confluence/display/IDP4/DynamicHTTPMetadataProvider|Konfiguration Identity Provider]] | * [[https://wiki.shibboleth.net/confluence/display/IDP4/DynamicHTTPMetadataProvider|Identity Provider Configuration]] |
* [[https://wiki.shibboleth.net/confluence/display/SP3/MDQMetadataProvider|Konfiguration Service Provider]] | * [[https://wiki.shibboleth.net/confluence/display/SP3/MDQMetadataProvider|Service Provider Configuration]] |
* Ausführliche [[https://spaces.at.internet2.edu/display/MDQ/Introducing+per-entity+metadata+service|Doku im InCommon Wiki]] (US-Föderation) | * Detailed [[https://spaces.at.internet2.edu/display/MDQ/Introducing+per-entity+metadata+service|documentation on InCommon Wiki]] (US federation) |
| |
{{tag>metadata idp4 sp3}} | {{tag>metadata idp4 sp3 mdq}} |