Date: Thu, 28 Mar 2024 10:09:53 +0000 (UTC) Message-ID: <1811793504.6055.1711620593889@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6054_284988560.1711620593888" ------=_Part_6054_284988560.1711620593888 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
This is documentation for the Preview = MDQ environment
The information on this page is for the Preview environment of the MDQ S= ervice. For production configuration instruction, see Configure Shibboleth service provider.
Additional Note: The public key and its certificat= e for the Preview environment of the MDQ service may change w= ith little notice. The production version of the public key and its certifi= cate are long-lived and stable.
This example configu=
res a Shibboleth SP to use the Technology Preview of the InCommon Per-Entity Metadata Distribution Service for all en=
tities. The SP will query the service when it needs metadata for a specific=
IdP, and will cache the result. Note that Shibboleth SP v3 introduces a sp=
ecific MDQ metadata provider which allows for slightly simpler configuratio=
n. We recommend that you enable a metadata cache duration of at least =
one hour, but no longer than one day, in your Shibboleth SP. In both examples, we set the minimum cache =
duration to one minute and the maximum cache duration to one day. A sh=
ort minimum cache duration is recommended in order to prevent failed lookup=
s from being cached for an extended period of time. Note that Shibboleth do=
es not refresh at the minimum cache duration value, so it is okay to have a=
low minimum cache duration set.
If you have more than one metadata provider, you will want to put the In= Common Per-Entity Metadata Distribution Service after any = statically configured metadata providers. If you do not do this, Shibboleth= will try to fetch your static entities from InCommon each time it is reque= sted before falling back to your static metadata providers.
SP V2 Example
<!-- InCommon Per-Entity Metadata Distribution Service --><MetadataProvider type=3D"Dynamic" ignoreTransport=3D"true" maxCach= eDuration=3D"86400" minCacheDuration=3D"60"><Subst>https://mdq-preview.incommon.org/entities/$entityID&l= t;/Subst><MetadataFilter type=3D"RequireValidUntil" maxVa= lidityInterval=3D"1209600"/><MetadataFilter type=3D"Signature" certificate= =3D"incommon-mdq.pem"/></MetadataProvider>
Information on the Shibboleth SPv2 Dynamic Metadata Provider is avai= lable here.
You will need at least Shibboleth SP v2.1 to specify a maximum Cache Dur= ation and Shibboleth SP v2.4 to specify a minimum cache duration. You shoul= d consider upgrading to Shibboleth SP V3 as soon as possible as version 2 i= s end of life.
SP V3 Example
<!-- InCommon Per-Entity Metadata Distribution Service --><MetadataProvider type=3D"MDQ" id=3D"incommon" ignoreTransport= =3D"true" cacheDirectory=3D"inc-mdq-cache"maxCacheDuration=3D"86400" minCacheDuration=3D"60"baseUrl=3D"https://mdq-preview.incommon.org/"><MetadataFilter type=3D"Signature" certificate=3D"inco= mmon-mdq.pem"/><MetadataFilter type=3D"RequireValidUntil" maxValidity= Interval=3D"1209600"/></MetadataProvider>
Information on the Shibboleth = SPv3 MDQ Metadata Provider is available her= e.
In either case, you will need to get the new signing key certificate her= e: Metad= ata signing key for the Preview environment. In this case the = certificate was downloaded and placed into the credentials folder of the Id= P and named incommon-mdq.pem.
Can't find what you are looking for?