Version 1, last updated by henrikau at May 21, 2010 09:01 UTC

Decrease font size Decrease font size

Increase font size Increase font size

Print this page Print this page

Automated Metadata Management (AMM)

Once the number of IdPs grow, making sure the metadata is properly up-to-date becomes next to impossible. This is why SimpleSAMLphp provides a mechanism for doing this automated.

This guide is in no way comprehensive, for the complete reference, visit the simplesamlphp-wiki.

Setting up shop

The goal of this guide is to help you set up a cron-job that periodically contacts the Metadata Management Endpoint at an SP running SimpleSAMLphp.

You should also disable all the sanity-checks for the module. I’m still not able to figure out why (not that I try very hard anymore), but if you allow the sanity-check to run, you won’t be running AMM… Navigate to your favorite SimpleSAMLphp-installation directory and run the following

touch modules/sanitycheck/disable

Once this has been done, enable cron and metarefresh and copy the config-files for the respective modules into the main config-directory

touch modules/cron/enable
cp modules/cron/config-templates/module_cron.php config/.
touch modules/metarefresh/enable
cp modules/metarefresh/config-templates/config-metarefresh.php config/.

Configure cron and metarefresh

  1. Create a password for the cronjob (so other, external actors cannot trigger a metadata-download at their leisure)
  2. Place the generated password in the config/module_cron.php:
    <?php
$config = array (
    'key'           =>'cr4zYp4sw0d',
    'allowed_tags'  => array('daily', 'hourly', 'frequent'),
    'debug_message' => TRUE,
    'sendemail'     => TRUE,
);
?>
</pre>
  1. Edit config/config-metarefhres.php so that SimpleSAMLphp will know where to retrieve the metadata from, for which of the time-tags it should trigger and if it should use separate subdirectories for the metadata.
    
$config = array(
        'sets' => array(
                'idp_one' => array(
                        'cron'  => array('hourly'),
                        'sources'       => array(
                                array(
                                        'src'   => 'https://path.to.idp/metadata.xml',
                                        'template'      => array(
                                                'tags'  => array('idp_one'),
                                                'authproc'      => array(
                                                        51      => array('class' => 'core:AttributeMap', 'oid2name'),
                                                        ),
                                                ),
                                        ),
                                ),
                        'expireAfter'           => 60*10, /* 10 minute cache */
                        'outputDir'             => 'metadata/idp_one/',
                        'outputFormat'          => 'flatfile',
                        ),
);

In short: for all cronjobs tagged ‘hourly’, the metadata located at https://path.to.idp/metadata.xml will be downloaded, parsed and inserted into metadata/idp_one/

Depending on the data retrieved, it will be placed in saml20-idp-remote.php or shib13-idp-remote.php

  1. Make sure the metadata-directory is writable for the webserver!
  1. get Mr. Cron running
    
# m h  dom mon dow   command
02 0 * * * curl --silent "https://sp.example.org/simplesaml/module.php/cron/cron.php?key=cr4zYp4sw0d&tag=daily" > /dev/null 2>&1
01 * * * * curl --silent "https://sp.example.org/simplesaml/module.php/cron/cron.php?key=cr4zYp4sw0d&tag=hourly" > /dev/null 2>&1
</pre>