The SAML MCM can be configured to manage Shibboleth IdP metadata providers. The primary use case for this is to add remote metadata sources. Local metadata files are best managed through the SAML MCM Metadata Sources interface.
There are two methods that can be used to provide the configuration file for ingestion by the Shibboleth IdP.
1. The file can retrieved via an API endpoint. A typical use-case for this method is a deployment pipeline retrieving the file and overlaying it into the Shibboelth IdP instance.
http(s)://<your shibui host>/api/MetadataResolvers
2. The configuration file can be periodically written to disk. A typical use-case for this method is to configure the Shibboleth IdP to periodically reload the providers using the MetadataReload endpoint.
shibui: metadataProviders: target: file:/opt/shibboleth-idp/conf/dynamic/metadata-providers.xml
shibui.metadataProviders.target = file:/opt/shibboleth-idp/conf/dynamic/metadata-providers.xml
By default the file will be written every 30 seconds. You can change the time period in milliseconds with the taskRunRate property:
shibui: metadataProviders: taskRunRate: 3000
shibui.metadataProviders.taskRunRate = 3000
Deployment Considerations
The examples show The SAML MCM writing the metadata-providers.xml file to a location outside of the typical Shibboleth IdP location. This is done to keep the MCM's version of the file separate from the IdP's version. The distinction is a matter of choice and was primarily chosen to highlight how the SAML MCM can be an entirely separate entity from the IdP.
Shibboleth IdP Configuration
When using a SAML MCM distinct metadata-providers.xml you can tell Shibboleth to load it via conf/services.xml
Add the file location as a value to the shibboleth.MetadataResolverResources list:
<util:list id="shibboleth.MetadataResolverResources"> <value>%{idp.home}/conf/metadata-providers.xml</value> <value>${idp.home}/conf/dynamic/metadata-providers.xml</value> </util:list>