Automated Metadata Management (AMM)

History Key

  • New content
  • Removed content

Recent Versions

Choose two versions to compare, or click the link to view it.

  1. 1. about 2 years by henrikau
 

Once the number of IdPs grow, making sure the metadata is properly up-to-date becomes next to impossible. This is why SimpleSAMLphp provides a mechanism for doing this automated.

This guide is in no way comprehensive, for the complete reference, visit the simplesamlphp-wiki.

Setting up shop

The goal of this guide is to help you set up a cron-job that periodically contacts the Metadata Management Endpoint at an SP running SimpleSAMLphp.

You should also disable all the sanity-checks for the module. I’m still not able to figure out why (not that I try very hard anymore), but if you allow the sanity-check to run, you won’t be running AMM… Navigate to your favorite SimpleSAMLphp-installation directory and run the following

touch modules/sanitycheck/disable

Once this has been done, enable cron and metarefresh and copy the config-files for the respective modules into the main config-directory

touch modules/cron/enable
cp modules/cron/config-templates/module_cron.php config/.
touch modules/metarefresh/enable
cp modules/metarefresh/config-templates/config-metarefresh.php config/.

Configure cron and metarefresh

  1. Create a password for the cronjob (so other, external actors cannot trigger a metadata-download at their leisure)
  2. Place the generated password in the config/module_cron.php:
    <?php
$config = array (
    'key'           =>'cr4zYp4sw0d',
    'allowed_tags'  => array('daily', 'hourly', 'frequent'),
    'debug_message' => TRUE,
    'sendemail'     => TRUE,
);
?>
</pre>
  1. Edit config/config-metarefhres.php so that SimpleSAMLphp will know where to retrieve the metadata from, for which of the time-tags it should trigger and if it should use separate subdirectories for the metadata.
    
$config = array(
        'sets' => array(
                'idp_one' => array(
                        'cron'  => array('hourly'),
                        'sources'       => array(
                                array(
                                        'src'   => 'https://path.to.idp/metadata.xml',
                                        'template'      => array(
                                                'tags'  => array('idp_one'),
                                                'authproc'      => array(
                                                        51      => array('class' => 'core:AttributeMap', 'oid2name'),
                                                        ),
                                                ),
                                        ),
                                ),
                        'expireAfter'           => 60*10, /* 10 minute cache */
                        'outputDir'             => 'metadata/idp_one/',
                        'outputFormat'          => 'flatfile',
                        ),
);

In short: for all cronjobs tagged ‘hourly’, the metadata located at https://path.to.idp/metadata.xml will be downloaded, parsed and inserted into metadata/idp_one/

Depending on the data retrieved, it will be placed in saml20-idp-remote.php or shib13-idp-remote.php

  1. Make sure the metadata-directory is writable for the webserver!
  1. get Mr. Cron running
    
# m h  dom mon dow   command
02 0 * * * curl --silent "https://sp.example.org/simplesaml/module.php/cron/cron.php?key=cr4zYp4sw0d&tag=daily" > /dev/null 2>&1
01 * * * * curl --silent "https://sp.example.org/simplesaml/module.php/cron/cron.php?key=cr4zYp4sw0d&tag=hourly" > /dev/null 2>&1
</pre>