- Created by Albert Wu (internet2.edu), last modified on Nov 11, 2020
Jump to:
Query instead of "download"
The new InCommon Metadata Distribution Service is based on the Metadata Query (MDQ) protocol. It eliminates the need for a metadata consumer to download the entire metadata aggregate. It significantly reduces system resource overhead and reduces start up time.
There is no more need to download the entire metadata aggregate.
To retrieve metadata using the MDQ-based Metadata Service, visit the new InCommon Metadata Service Wiki.
Simulating the legacy style metadata aggregate
Simulating the legacy aggregate
See Retrieving metadata aggregate with MDQ.
If you previously (before 2020) downloaded the InCommon metadata aggregate and cannot switch over to querying individual entities using the MDQ protocol, the new Metadata Service provides an aggregate endpoint to simulate the legacy InCommon metadata aggregate. The aggregate endpoint is:
https://mdq.incommon.org/entities
IMPORTANT: the new InCommon Metadata Service has a different signing key from the legacy service. If you had configured your service with the legacy key, make sure to update the metadata signing key. See obtain an authentic copy of the InCommon metadata signing certificate.
Retrieving the IdP-only aggregate
See Retrieving metadata aggregate with MDQ.
InCommon produces an metadata aggregate containing only IdP entities. It enable discovery services to retrieve/cache list of identity providers for display purpose.
The InCommon IdP-only aggregate endpoint is :
https://mdq.incommon.org/entities/idps/all
About the Export-only aggregate
InCommon produces an export-only aggregate to support inter-federation through the eduGAIN global R&E inter-federation. To learn more, see the Export-only metadata aggregate topic.
About the "Fallback" aggregate
See Using the fallback aggregate.
Verifying the metadata signature
To ensure you are retrieving the properly vetted metadata fro mInCommon, make you should always verify the signature on metadata according to the instructions. Do not depend solely on HTTPS encryption for the security of your metadata downloads. To learn more, see Best practices when consuming InCommon metadata.
The InCommon metadata signed using the same metadata signing key and the SHA-256 digest algorithm. To verify the signature on an aggregate, a consumer must obtain an authentic copy of the InCommon metadata signing certificate.
Retrieving Preview metadata
The "preview" MDQ Service environment allows you to validate your service against upcoming changes to the MDQ Service.
See:
- Locating the preview metadata
- Configure Shibboleth IdP for Preview MDQ environment
- Prefetch an entity with Shibboleth in the Preview MDQ environment
- Configure other software
- Metadata signing key for the Preview environment
In this section
Related content
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
Get help
Can't find what you are looking for?