Newer
Older
Andreas Åkre Solberg
committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
Automated Metadata Management
=============================
<!--
This file is written in Markdown syntax.
For more information about how to use the Markdown syntax, read here:
http://daringfireball.net/projects/markdown/syntax
-->
* Version: `$Id$`
Introduction
------------
If you want to connect an Identity Provider, or a Service Provider to a **federation**, you need to setup metadata for the entries that you trust. In many federation, in particular federations based upon the Shibboleth software, it is normal to setup automated distributed metadata using the SAML 2.0 Metadata XML Format.
Some central administration or authority, provides a URL with a SAML 2.0 document including metadata for all entities in the federation.
This document explains how to setup automated downloading and parsing of a metadata document on a specific URL.
Preparations
------------
You need to enable the following modules:
1. cron
2. metarefresh
The cron module allows you to do tasks regularly, by setting up a cronjob that calls a hook in simpleSAMLphp.
The metarefresh module will download and parse the metadata document and store it in cached local metadata files.
You also need to copy the `config-templates` files from the two modules above, into the global `config/` directory.
Testing to parse the metadata document
--------------------------------------
We'll use the SWITCH AAI Test Federation as an example in this document. This federation provides metadata on this URL:
http://metadata.aai.switch.ch/metadata.aaitest.xml
I reccomend to first test on the command line to parse the metadata URL.
cd modules/metarefresh/bin
./metarefresh.php -s http://metadata.aai.switch.ch/metadata.aaitest.xml
We use the `-s` option to send output to console (for testing purposes). If the output makes sense, continue. If you get a lot of error messages, send an e-mail to the simpleSAMLphp list and ask for advice.
Below is the documentation provided by Nuno Gonçalves <nuno@fccn.pt>
Andreas Åkre Solberg
committed
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
[root@simplesamlphp] cd /var/simplesamlphp/modules/cron
[root@simplesamlphp cron] touch enable
[root@simplesamlphp cron] cp config-templates/*.php ../../config/
At `/var/simplesamlphp/config`
[root@simplesamlphp-teste config]# vi module_cron.php
edit:
$config = array (
'key' => 'kb10fu2sao',
'allowed_tags' => array('daily', 'hourly', 'frequent'),
'debug_message' => TRUE,
'sendemail' => TRUE,
);
Then: With your browser go to => https://simplesamlphp_machine/simplesaml/module.php/cron/croninfo.php
And copy the cron's sugestion:
-------------------------------------------------------------------------------------------------------------------
Cron is a way to run things regularly on unix systems.
Here is a suggestion for a crontab file:
# Run cron [daily]
02 0 * * * curl --silent "https://simplesamlphp-teste.fccn.pt/simplesaml/module.php/cron/cron.php?key=kb10fu2sao&tag=daily" > /dev/null 2>&1
# Run cron [hourly]
01 * * * * curl --silent "https://simplesamlphp-teste.fccn.pt/simplesaml/module.php/cron/cron.php?key=kb10fu2sao&tag=hourly" > /dev/null 2>&1
# Run cron [frequent]
XXXXXXXXXX curl --silent "https://simplesamlphp-teste.fccn.pt/simplesaml/module.php/cron/cron.php?key=kb10fu2sao&tag=frequent" > /dev/null 2>&1
Click here to run the cron jobs:
Run cron [daily]
Run cron [hourly]
Run cron [frequent]
-------------------------------------------------------------------------------------------------------------------
Add to CRON with
[root@simplesamlphp config]# crontab -e
Errors
------
Problem with sanitycheck module
When executing [Run cron [daily]] ==> an error shows up
Cause : module sanitycheck ==> It is active by default (`/var/simplesamlphp/modules/sanitycheck/default-enable`)
* When executing Cron daily It will search all active modules and it executes the hook_cron.php for each one of them in :
`/var/simplesamlphp/modules/<nome_modulo>/hooks/hooks_cron.php`
Meanwhile it is waiting that each module conf file exists in the folder: `/var/simplesamlphp/config/config-<nome_modulo>.php`
It should exist one for the sanitycheck module => `config-sanitycheck.php` but it wasn't there and therefore the error showed up.
Giving an error at this modules it aborted execution for the next active modules.
ENABLE MODULE METAREFRESH
-------------------------
* Enable cron module
At `/var/simplesamlphp/modules/metarefresh`
[root@simplesamlphp metarefresh] touch enable
[root@simplesamlphp metarefresh] cp config-templates/*.php ../../config/
At `/var/simplesamlphp/config/`
[root@simplesamlphp config]# vi config-metarefresh.php
edit:
$config = array( 'sets' => array(
'federation_name' => array(
'cron' => array('hourly'),
'sources' => array(
array(
'src' => 'http://metadata_server/Federation_metadata_file.xml'
),
),
'maxCache' => 60*60*24*4, // Maximum 4 days cache time.
'maxDuration' => 60*60*24*10, // Maximum 10 days duration on ValidUntil.
'outputDir' => 'metadata/federation_name/',
),
));
TEMPLATE FILE : /var/simplesamlphp/modules/metarefresh/config-templates/config-metarefresh.php
$config = array(
'kalmar' => array(
'cron' => array('hourly'),
'sources' => array(
array(
'src' => 'https://aitta.funet.fi/haka/haka_test_metadata_signed.xml',
'certFingerprint' => '22:1D:EA:E3:2C:EB:A3:2D:78:72:B6:F4:E9:52:F6:23:31:5A:A5:3D',
'template' => array(
'tags' => array('kalmar'),
),
),
),
'maxCache' => 60*60*24*4, // Maximum 4 days cache time.
'maxDuration' => 60*60*24*10, // Maximum 10 days duration on ValidUntil.
'outputDir' => 'metadata/metadata-kalmar-consuming/',
),
);
At the Element sources the CERTFINGERPRINT => is for signed metadata ?
What is this variable for ? TEMPLATE TAGS
* Add write permissions to apache in 'outputDir'
Then configure your simpleSAMLphp installation to use the generated metadata:
In config.php:
'metadata.sources' => array(
array('type' => 'flatfile'),
array('type' => 'flatfile', 'directory' => 'metadata/federation'),
),