Differences

This shows you the differences between two versions of the page.

--- en:aai:mdq [2021/07/14 13:26] – partly translated Silke Meyer
+++ en:aai:mdq [2024/02/02 09:44] (current) – Wolfgang Pempe
@@ Line 1: / Line 1: @@
-FIXME **This page is not fully translated, yet.**
 ====== Metadata Query Service (MDQ) ======
@@ Line 8: / Line 6: @@
 ===== Explanation =====
-A **Metadata Query Service** can be queried for the metadata of individual entities (IdP/SP/Attribute Authority) in real-time. This approach is also called **Per-Entity Metadata**. The conventional approach is to offer federation metadata as huge xml files that have to be fetched, validated and processed by all participating systems. The per-entity approach consumes much less resources: All systems just process the metadata they need in given moment, and cache them for a certain time. This procedure is based on the **Metadata Query Protocol** (see [[#references|References]]).
+A **Metadata Query Service** can be queried for the metadata of individual entities (IdP/SP/Attribute Authority) in real-time. This approach is also called **Per-Entity Metadata**. The conventional approach is to offer federation metadata as huge xml files that have to be fetched, validated and processed by all participating systems. The per-entity approach consumes much less resources: All systems just process the metadata they need in a given moment, and cache them for a certain time. This procedure is based on the **Metadata Query Protocol** (see [[#references|References]]).
 A Metadata Query Service has to meet high requirements in terms of availability and resilience. DFN-AAI's pilot lets us gain experience and improve the service for production.
-Please note
+Please see the section on [[en:aai:mdq#further_hints_and_known_issues|further hints and known issues]] below.
-Beachten Sie bitte auch die [[de:aai:mdq#weitere_hinweise_und_bekannte_probleme|weiteren Hinweise]] unten.
 **Important notice:** The MDQ service does not deliver **any** [[de:metadata_local|local metadata]]! You still have to include them via a static metadata provider, type ''FileBackedHTTPMetadataProvider'' for Shibboleth IdPs, type ''XML'' for Shibboleth SPs.
@@ Line 24: / Line 20: @@
 **Certificate for the validation of the signature of DFN-AAI MDQ Metadata** (PEM format) \\
-SHA256 Fingerprint: 73:5B:9E:76:8A:A6:33:73:4D:3E:C6:D2:1E:98:B3:D9:03:74:B9:87:16:52:16:53:32:26:9A:B2:55:FC:CA:D2 \\
+SHA256 Fingerprint: 75:18:98:F6:E8:23:21:E8:B1:DC:71:6B:D0:AB:50:F0:C2:DB:9D:CE:4B:2B:A1:88:B1:42:DB:99:13:DB:0D:E9 \\
-https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-mdq.pem
+https://www.aai.dfn.de/metadata/dfn-aai-mdq.pem
 ===== Examples =====
@@ Line 53: / Line 49: @@
 </file>
-We are happy to document further filter mechanisms [[hotline@aai.dfn.de|on demand]].
 ==== Shibboleth SP 3.2.x ====
@@ Line 72: / Line 67: @@
 </file>
-=== Ausschließlich IdPs aus DFN-AAI Advanced ===
+We are happy to document further filter mechanisms [[hotline@aai.dfn.de|on demand]].
-(Zur Unterscheidung zwischen "Advanced" und "Basic" siehe die Erläuterungen zu den [[de:degrees_of_reliance|Verlässlichkeitsklassen]])
-**Wichtig:** damit der u.g. Filter funktioniert, muss im Root-Element ''SPConfig'' der Datei ''shibboleth2.xml'' der Namespace ''xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"'' gesetzt sein.
-<file xml /etc/shibboleth/shibboleth2.xml>
-    <MetadataProvider type="MDQ" id="dfn_aai_mdq_advanced_only" ignoreTransport="true"
-                  cacheDirectory="mdq-aai-dfn-de"
-                  maxCacheDuration="3600" minCacheDuration="600"
-                  baseUrl="https://mdq.aai.dfn.de">
-           <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai-mdq.pem"/>
-           <MetadataFilter type="Include" matcher="EntityAttributes">
-               <saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
-                 <saml:AttributeValue>advanced</saml:AttributeValue>
-               </saml:Attribute>
-           </MetadataFilter>
-    </MetadataProvider>
-</file>
-Weitere Filtermöglichkeiten werden gerne auf [[hotline@aai.dfn.de|Anfrage]] dokumentiert.
-\\
-===== Weitere Hinweise und bekannte Probleme =====
+===== Further hints and known issues =====
-**Allgemein:** \\
+**General:** \\
-Sofern in der Metadata Provider Konfiguration weitere, 'statische' (z.B. ''FileBackedHTTPMetadataProvider'') ''MetadataProvider'' definiert sind, sollten ''MetadataProvider''-Elemente des Typs das ''MDQ'' bzw. ''DynamicHTTPMetadataProvider'' ganz am Ende eingefügt werden. Ansonsten führt der IdP/SP jedes Mal eine Metadata Query aus, auch wenn die betreffende Entity bereits über die statischen Metadaten verfügbar ist.
+If you have defined static metadata providers (e.g. ''FileBackedHTTPMetadataProvider'') in addition to dynamic metadata query, the ''MDQ'' resp. ''DynamicHTTPMetadataProvider'' should be appended after the static ones. This prevents the IdP/SP from running metadata queries for entities that are available from the static metadata.
 **Shibboleth IdP:** \\
-Bei nicht erfolgreichen Metadata Queries erscheint eine Warnung im Log: ''Document root was not an EntityDescriptor: org.opensaml.saml.saml2.metadata.impl.EntitiesDescriptorImpl''
+Failed metadata queries are logged like this in the IdP: ''Document root was not an EntityDescriptor: org.opensaml.saml.saml2.metadata.impl.EntitiesDescriptorImpl''
 **Shibboleth SP < 3.2.0:** \\
-Im SP-Log erscheint nach jedem Neustart die irreführende Warnung, dass das Caching-Verzeichnis nicht nicht angelegt werden kann. Es existiert bereits. Siehe https://issues.shibboleth.net/jira/browse/SSPCPP-916
+After every restart the SP logs a misleading warning about the cache directory that cannot be created. It already exists. See https://issues.shibboleth.net/jira/browse/SSPCPP-916
-**Sonstige Fehler** bitte an [[hotline@aai.dfn.de|hotline@aai.dfn.de]] melden.
+Please let us know if you run into any **other errors** ([[hotline@aai.dfn.de|hotline@aai.dfn.de]]).
 \\
 ===== References =====
-  * [[https://datatracker.ietf.org/doc/draft-young-md-query/|Spezifikation Metadata Query Protocol]]
+  * [[https://datatracker.ietf.org/doc/draft-young-md-query/|Specification of the Metadata Query Protocol]]
   * Shibboleth Wiki
     * [[https://wiki.shibboleth.net/confluence/display/IDP4/MetadataManagementBestPractices#MetadataManagementBestPractices-DynamicHTTPMetadataProvider|Metadata Management Best Practices]]
-    * [[https://wiki.shibboleth.net/confluence/display/IDP4/DynamicHTTPMetadataProvider|Konfiguration Identity Provider]]
+    * [[https://wiki.shibboleth.net/confluence/display/IDP4/DynamicHTTPMetadataProvider|Identity Provider Configuration]]
-    * [[https://wiki.shibboleth.net/confluence/display/SP3/MDQMetadataProvider|Konfiguration Service Provider]]
+    * [[https://wiki.shibboleth.net/confluence/display/SP3/MDQMetadataProvider|Service Provider Configuration]]
-  * Ausführliche [[https://spaces.at.internet2.edu/display/MDQ/Introducing+per-entity+metadata+service|Doku im InCommon Wiki]] (US-Föderation)
+  * Detailed [[https://spaces.at.internet2.edu/display/MDQ/Introducing+per-entity+metadata+service|documentation on InCommon Wiki]] (US federation)
-{{tag>metadata idp4 sp3}}
+{{tag>metadata idp4 sp3 mdq}}

metadata idp4 sp3 mdq