This is an old revision of the document!

FIXME This page is not fully translated, yet.

Metadata Query Service (MDQ)

Pilot - Use at your own risk!

Our Metadata Query Service is still running in pilot operation. There is currently no guarantee for its availability, flawlessness and stability. You are very welcome to share your experience or error reports with us at hotline@aai.dfn.de.

Explanation

A Metadata Query Service can be queried for the metadata of individual entities (IdP/SP/Attribute Authority) in real-time. This approach is also called Per-Entity Metadata. The conventional approach is to offer federation metadata as huge xml files that have to be fetched, validated and processed by all participating systems. The per-entity approach consumes much less resources: All systems just process the metadata they need in a given moment, and cache them for a certain time. This procedure is based on the Metadata Query Protocol (see References).

A Metadata Query Service has to meet high requirements in terms of availability and resilience. DFN-AAI's pilot lets us gain experience and improve the service for production.

Please note

Beachten Sie bitte auch die weiteren Hinweise unten.

Important notice: The MDQ service does not deliver any local metadata! You still have to include them via a static metadata provider, type FileBackedHTTPMetadataProvider for Shibboleth IdPs, type XML for Shibboleth SPs.

Parameters

URL for the production metadata (DFN-AAI, DFN-AAI-Basic) and eduGAIN: 

http(s)://mdq.aai.dfn.de

URL for the metadata of the test federation (DFN-AAI-Test): 

http(s)://mdq-test.aai.dfn.de

Certificate for the validation of the signature of DFN-AAI MDQ Metadata (PEM format)
SHA256 Fingerprint: 73:5B:9E:76:8A:A6:33:73:4D:3E:C6:D2:1E:98:B3:D9:03:74:B9:87:16:52:16:53:32:26:9A:B2:55:FC:CA:D2
https://www.aai.dfn.de/fileadmin/metadata/dfn-aai-mdq.pem

Examples

Shibboleth IdP 4.x

Production (DFN-AAI, DFN-AAI-Basic) and eduGAIN

./conf/metadata-providers.xml
    <MetadataProvider id="dfn_aai_mdq_prod" xsi:type="DynamicHTTPMetadataProvider"
                  maxCacheDuration="PT1H" minCacheDuration="PT10M">
           <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
                  certificateFile="/etc/ssl/aai/dfn-aai-mdq.pem"/>
           <MetadataQueryProtocol>http://mdq.aai.dfn.de</MetadataQueryProtocol>
    </MetadataProvider>

Test Federation (DFN-AAI-Test)

./conf/metadata-providers.xml
    <MetadataProvider id="dfn_aai_mdq_test" xsi:type="DynamicHTTPMetadataProvider"
                  maxCacheDuration="PT1H" minCacheDuration="PT10M">
           <MetadataFilter xsi:type="SignatureValidation" requireSignedRoot="true"
                  certificateFile="/etc/ssl/aai/dfn-aai-mdq.pem"/>
           <MetadataQueryProtocol>http://mdq-test.aai.dfn.de</MetadataQueryProtocol>
    </MetadataProvider>

We are happy to document further filter mechanisms on demand.

Shibboleth SP 3.2.x

Important Notice

Importing metadata via MDQ only makes sense if the SP does not rely on imported federation metadata to generate an IdP list for its Discovery Service. This is how Shibboleth EDS (Link in German) works.

Production (DFN-AAI, DFN-AAI-Basic) and eduGAIN

/etc/shibboleth/shibboleth2.xml
    <MetadataProvider type="MDQ" id="dfn_aai_mdq_prod" ignoreTransport="true"
                  cacheDirectory="mdq-aai-dfn-de"
                  maxCacheDuration="3600" minCacheDuration="600"
                  baseUrl="https://mdq.aai.dfn.de">
           <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai-mdq.pem"/>
    </MetadataProvider>

Ausschließlich IdPs aus DFN-AAI Advanced

(Zur Unterscheidung zwischen “Advanced” und “Basic” siehe die Erläuterungen zu den Verlässlichkeitsklassen)

Wichtig: damit der u.g. Filter funktioniert, muss im Root-Element SPConfig der Datei shibboleth2.xml der Namespace xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion” gesetzt sein.

/etc/shibboleth/shibboleth2.xml
    <MetadataProvider type="MDQ" id="dfn_aai_mdq_advanced_only" ignoreTransport="true"
                  cacheDirectory="mdq-aai-dfn-de"
                  maxCacheDuration="3600" minCacheDuration="600"
                  baseUrl="https://mdq.aai.dfn.de">
           <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai-mdq.pem"/>
           <MetadataFilter type="Include" matcher="EntityAttributes">
               <saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                 <saml:AttributeValue>advanced</saml:AttributeValue>
               </saml:Attribute>
           </MetadataFilter>
    </MetadataProvider>

Weitere Filtermöglichkeiten werden gerne auf Anfrage dokumentiert.


Weitere Hinweise und bekannte Probleme

Allgemein:
Sofern in der Metadata Provider Konfiguration weitere, 'statische' (z.B. FileBackedHTTPMetadataProvider) MetadataProvider definiert sind, sollten MetadataProvider-Elemente des Typs das MDQ bzw. DynamicHTTPMetadataProvider ganz am Ende eingefügt werden. Ansonsten führt der IdP/SP jedes Mal eine Metadata Query aus, auch wenn die betreffende Entity bereits über die statischen Metadaten verfügbar ist.

Shibboleth IdP:
Bei nicht erfolgreichen Metadata Queries erscheint eine Warnung im Log: Document root was not an EntityDescriptor: org.opensaml.saml.saml2.metadata.impl.EntitiesDescriptorImpl

Shibboleth SP < 3.2.0:
Im SP-Log erscheint nach jedem Neustart die irreführende Warnung, dass das Caching-Verzeichnis nicht nicht angelegt werden kann. Es existiert bereits. Siehe https://issues.shibboleth.net/jira/browse/SSPCPP-916

Sonstige Fehler bitte an hotline@aai.dfn.de melden.


References

, ,
  • Last modified: 3 years ago