This documents an alternative solution to managing refreshes to the metadata and attribute filter files. The easier solution recommended in the installation manual is to let the IdP manage the refreshes.
This implementation is based on using an external script (
fetch-xml.sh). This script loads the XML file (over an HTTPS connection), checks the XML document for well-formedness, optionally verifies the signature on the downloaded XML document - and if all tests are passed, replaces the original file with a single "mv".
The script takes three arguments: the remote URL, the local file name, and an email address to send any errors to (no email sent if everything goes well).
An extra optional step (documented below) is to install XmlSecTool for verifying the signature. Otherwise, downloading the file over HTTPS and checking the XML structure provides also reasonable guarantees. If using XmlSecTool, the script takes a fourth argument, the certificate to check the signature with. And in this case, XmlSecTool must be found either in the
PATH or in the
XMLSECTOOL environment variable.
To deploy this solution without XmlSecTool:
Download the fetch-xml.sh script into
wget -O /opt/shibboleth-idp/bin/fetch-xml.sh https://github.com/REANNZ/Tuakiri-public/raw/master/scripts/fetch-xml.sh
chmod +x /opt/shibboleth-idp/bin/fetch-xml.sh
- Determine the URLs you will be loading the files (metadata and attribute filter) from and locations you will be putting them into - same as in the standard implementation above.
Download the metadata signing certificate into
wget http://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-cert.pem -O $IDP_HOME/credentials/tuakiri-metadata-cert.pem
fetch-xml.sh once to download the metadata:
/opt/shibboleth-idp/bin/fetch-xml.sh https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-signed.xml /opt/shibboleth-idp/metadata/tuakiri-metadata-signed.xml email@example.com
fetch-xml.sh once to download the attribute filter for your IdP (note that you have to request one to be published, same as in the standard implementation above):
/opt/shibboleth-idp/bin/fetch-xml.sh http://directory.tuakiri.ac.nz/attribute-filter/institution.domain.ac.nz.xml /opt/shibboleth-idp/conf/tuakiri-attribute-filter.xml firstname.lastname@example.org
- Configure a 3.x IdP to load the Tuakiri metadata and atribute filter files:
For archival purposes, we also keep the original instructions for configuring the Tuakiri metadata and attribute filter on a 2.x IdP - unfold the box below to see the IdP 2.x compatible syntax:
|title||Legacy IdP 2.x syntax for loading metadata and attribute filter|
fetch-xml.shcron jobs to use XmlSecTool to verify signature: