Versions Compared

Old Version 4

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

Metadata Client

...

Software

This page (and its child pages) show how to configure specific metadata clients. For more general configuration guidance, see the Metadata Consumption wiki page.

There are three metadata clients that meet the basic requirements of a SAML deployment in the InCommon Federation:

  1. Shibboleth
  2. simpleSAMLphp
  3. Microsoft AD FS + pysFEMMA

Shibboleth and simpleSAMLphp are open-source implementations of the SAML Web Browser SSO Profile but both of them will automatically If you plan on using the Shibboleth software for federation purposes, you can in fact also use Shibboleth to download and verify signed metadata without having to rely on any other tools. Instructions on how to configure Shibboleth or how to configure simpleSAMLphp for metadata consumption are provided elsewhere in this wiki.Other SAML implementations besides Shibboleth have built-in metadata support. For example, it is well known that simpleSAMLphp will consume InCommon Federation metadata. If you know of other SAML implementations that support SAML metadata, please let us know so we can document them herethat capability here.

Although Microsoft AD FS is not able to directly consume the InCommon metadata aggregate, there are a couple of third-party tools that can help. We recommend a third-party tool called pysFEMMA for this purpose. Details about using pysFEMMA with Microsoft AD FS are documented elsewhere in this wiki.

Regardless of your software implementation, however, you can always set up a custom cron job to refresh metadata, but in that case you will need additional tools to verify the XML signature at the time of refresh and check the validUntil attribute as noted abovedescribed on the Metadata Consumption wiki page. Participants are encouraged to share such tools and scripts for the benefit of the community. For instance, third-party tools that make InCommon metadata usable with Microsoft AD FS are documented elsewhere in this wiki. Anchorfirewall-configfirewall-config

Firewall Configuration

Depending on your environment, you may have to poke a hole in an outbound firewall to allow your metadata client to reach the metadata server. In that case, you will actually want to poke two holes in that firewall since there are two metadata servers as described below.

Hostname wayf.incommonfederation.org resolves to one of two identical servers, either in Michigan (207.75.165.125) or Indiana (140.182.44.53). The actual server used at any given point in time is unspecified and left to the discretion of InCommon Operations. If one of the servers goes down or requires maintenance, the other can be brought up within minutes, with minimal disruption of services.

Therefore, please make sure both your SAML implementation and your metadata refresh processes are configured with hostname wayf.incommonfederation.org (as opposed to an IP address). On the other hand, make sure your outbound firewall (if any) is configured with both IP addresses (207.75.165.125 and 140.182.44.53).