This document describes a method to configure a Shibboleth Service Provider (SP) to to fetch metadata only for specific IdPs as needed instead of periodically loading the entire InCommon "idp-only" aggregate. This new method is referred to as a per-entity metadata service or MDQ (since it is based on a "Metadata Query" protocol).
Traditionally, federated SPs that relied on InCommon Federation metadata would periodically download a large metadata aggregation file containing all InCommon entities (IdPs and SPs). This quickly grew unwieldy as the federation grew, and soon it was causing very slow start-up times and a large memory footprint for SPs. As an interim measure, InCommon began publishing an "IdP-only" metadata aggregate that was much smaller in size and that was less impactful on SPs. That approach also became unwieldy over time.
Now there is a new option called the InCommon Per-Entity Metadata Distribution Service. This service is analogous to DNS, but instead of looking up an IP address by hostname as needed and caching the result, it looks up InCommon metadata by entityID as needed and caches the result. The per-entity metadata service is also known as MDQ, after the IETF "Metadata Query" protocol that it uses. With MDQ, an SP only looks up IdP metadata when it needs to and it never loads metadata it doesn't need. There is no file to download and verify on restart and no large files to store on disk. If the MDQ service is not available, the SP will use a local copy of IdP metadata that it cached after previous successful MDQ queries.
For additional background please see: https://spaces.at.internet2.edu/display/MDQ/Introducing+per-entity+metadata+service
<!-- InCommon Per-Entity Metadata Distribution Service -->
<MetadataProvider type="MDQ" id="incommon" ignoreTransport="true" cacheDirectory="inc-mdq-cache"
maxCacheDuration="86400" minCacheDuration="60"
baseUrl="https://mdq.incommon.org/">
<MetadataFilter type="Signature" certificate="inc-md-cert-mdq.pem"/>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
</MetadataProvider>
- It is recommend that you enable a metadata cache duration of at least one hour, but no longer than one day, in your Shibboleth SP.
- The first
MetadataFilter
element requires that the signature on the MDQ metadata provider
should be verified using the inc-md-cert-mdq.pem
certificate. - If you have configured a
MetadataProvider
for the UW IdP or InCommon metadata aggregate, you should comment it out or delete it. - Save your shibboleth2.xml file.
The per-entity metadata service works with Shibboleth v2 but there are some limitations:
- You will need at least Shibboleth SP v2.1 to specify a maximum Cache Duration.
- You will need at least Shibboleth SP v2.4 to specify a minimum cache duration.
Instructions for SP v2 configuration are the same as for SP v3, except the MetadataProvider
section is a little different:
<!-- InCommon Per-Entity Metadata Distribution Service -->
<MetadataProvider type="Dynamic" ignoreTransport="true" maxCacheDuration="86400" minCacheDuration="60">
<Subst>https://mdq.incommon.org/entities/$entityID</Subst>
<MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
<MetadataFilter type="Signature" certificate="inc-md-cert-mdq.pem"/>
</MetadataProvider>
- Download the MDQ signing certificate.
- Save the certificate file in the same directory as your
shibboleth2.xml
file. Name it "inc-md-cert-mdq.pem"
.
- Restart the shibd process on your SP however you normally do that on your platform.
- This will cause your SP to re-read the metadata provider configuration in
shibboleth2.xml
and to take appropriate actions.