The SAML Metadata Configuration Manager (MCM) is built as a Java Spring Boot ( ) application. It can be run as a standalone web application that has Tomcat embedded in it. The same WAR file can be deployed into an external servlet container (standalone Tomcat etc). It can also be deployed using a Docker image. And in the Docker realm, the project also provides a full "testbed environment" that includes a database, an IdP, a LDAP server, etc.

Deployment Considerations

The primary consideration for choosing one of the deployment scenarios is how the SAML metadata is going to be ingested by your identity provider.  The default sharing method is retrieving metadata from the MDQ endpoint: http(s)://<your shibui host>/entities/<entity_ID> . This endpoint is open to the world and should be restricted at the network level to prevent a vector for DoS.

The SAML MCM can also be configured to write out the individual metadata files to a filesystem.  These files will be named following the convention used by the Shibboleth IdP's LocalDynamicMetadataProvider. You can then share these files with the IdP using any of the standard methods such as a local filesystem, networked filesystems like NFS or a simple scheduled file transfer.


  • The MCM requires a relational database for persistent storage. Out of the box you can run the application using an in memory database to get familiar with the application but you will need a permanent data store in order to retain configurations
  • Java
    • v 1.18.0 - Java11+
    • V 2.0.0 - Java17+



Deployment Examples

Demo Environment

Shibboleth IdP Integration

Tap Beacon Instrumentation

  • No labels