[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: importing SP metadata
From:       Christopher Bongaarts <cab () umn ! edu>
Date:       2012-10-23 18:21:41
Message-ID: 5086E035.9030909 () umn ! edu
[Download RAW message or body]

On 10/23/2012 1:13 PM, Michael A Grady wrote:
> The SP now has the feature of having a "metadata directory" where one
> can manage separate files. The IdP doesn't have this yet. One idea
> I've suggested to some in the past is to manage each file separately
> in such a directory, but have a script program that runs regularly
> and aggregates all those individual files into a single "partners
> metadata file", with just that latter listed in the relying-party.xml
> file (or similar file on the SP). That script can either test each
> individual file, or just the aggregated file, against the metadata
> schema for validity before copying into either the versioning
> repository or the production copy of the file. That script would wrap
> the individual files with the EntitiesDescriptor element when writing
> out the aggregated file. Such is easy to do with any scripting
> language, I wrote a sample in Perl.

This is essentially what we do, except that we have a per-SP (or per-SP 
group) directory that holds both a metadata file (if not already 
provided via InCommon) and an attribute filter chunk.  We build both a 
partners-metadata.xml file and the attribute-filter.xml file based on 
those.  This function lives on our distribution server, which pushes out 
the updated files to all of the actual Shib servers.

The upside of this setup is it keeps (most of) the configs for an SP 
together, and lets us use our distribution system's configuration 
version control setup.  The downside is that it requires us to handle 
all metadata updates.  Eventually we hope to set up some sort of 
self-service metadata maintenance site, at least for local campus SPs.
-- 
%%  Christopher A. Bongaarts   %%  cab@umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]