- This line was added.
- This line was removed.
- Formatting was changed.
The information on this page is for the Preview environment of the MDQ Service. For production configuration instruction, see configure-shib-sp.
Additional Note: The public key and its certificate for the Preview environment of the MDQ service may change with little notice. The production version of the public key and its certificate are long-lived and stable.
This example configures a Shibboleth SP to use the Technology Preview of the InCommon Per-Entity Metadata Distribution Service for all entities. The SP will query the service when it needs metadata for a specific IdP, and will cache the result. Note that Shibboleth SP v3 introduces a specific MDQ metadata provider which allows for slightly simpler configuration. We recommend that you enable a metadata cache duration of at least one hour, but no longer than one day, in your Shibboleth SP. In both examples, we set the minimum cache duration to one minute and the maximum cache duration to one day. A short minimum cache duration is recommended in order to prevent failed lookups from being cached for an extended period of time. Note that Shibboleth does not refresh at the minimum cache duration value, so it is okay to have a low minimum cache duration set.
If you have more than one metadata provider, you will want to put the InCommon Per-Entity Metadata Distribution Service after any statically configured metadata providers. If you do not do this, Shibboleth will try to fetch your static entities from InCommon each time it is requested before falling back to your static metadata providers.
SP V2 Example
<!-- InCommon Per-Entity Metadata Distribution Service --><MetadataProvider type="Dynamic" ignoreTransport="true" maxCacheDuration="86400" minCacheDuration="60"><Subst>https://mdq-preview.incommon.org/entities/$entityID</Subst><MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/><MetadataFilter type="Signature" certificate="incommon-mdq.pem"/></MetadataProvider>
Information on the Shibboleth SPv2 Dynamic Metadata Provider is available here.
You will need at least Shibboleth SP v2.1 to specify a maximum Cache Duration and Shibboleth SP v2.4 to specify a minimum cache duration. You should consider upgrading to Shibboleth SP V3 as soon as possible as version 2 is end of life.
SP V3 Example
<!-- InCommon Per-Entity Metadata Distribution Service --><MetadataProvider type="MDQ" id="incommon" ignoreTransport="true" cacheDirectory="inc-mdq-cache"maxCacheDuration="86400" minCacheDuration="60"baseUrl="https://mdq-preview.incommon.org/"><MetadataFilter type="Signature" certificate="incommon-mdq.pem"/><MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/></MetadataProvider>
Information on the Shibboleth SPv3 MDQ Metadata Provider is available here.
In either case, you will need to get the new signing key certificate here: preview-metadata-signing-key. In this case the certificate was downloaded and placed into the credentials folder of the IdP and named incommon-mdq.pem.
|Content by Label|
Can't find what you are looking for?