<h4><a name="4.e."></a>4.e. <span class="fixed">metadatatool</span></h4>
<blockquote>
<p>The Shibboleth origin leverages metadata distributed by relying parties and federations to validate the identity of requesters and the resource providers on whose behalf the request is being made. This metadata is cached locally in the form of <span class="fixed">sites.xml</span> files. Shibboleth includes a simple utility called <span class="fixed">metadatatool</span> which can be used to refresh a <span class="fixed">sites.xml</span> file. These files are then pointed to by <a href="#confFederationProvider"><span class="fixed">FederationProvider</span></a> elements in <a href="#5.a."><span class="fixed">shibboleth.xml</span></a>.</p>
-<p>The following command is appropriate for most deployments and is run from the $SHIB_HOME directory. This should be frequently run by adding it to a <span class="fixed">crontab/span> to ensure that the data is fresh.</p>
+<p>The following command is appropriate for most deployments and is run from the $SHIB_HOME directory. This should be frequently run by adding it to a <span class="fixed">crontab</span> to ensure that the data is fresh.</p>
<blockquote><span class="fixed">bin/metadatatool -i https://wayf.internet2.edu/InQueue/sites.xml -k conf/internet2.jks -p shib123 -a sitesigner -o /your_path_here/sites.xml</span></blockquote>
<p>This is a list of all the command-line parameters that may be specified:</p>
-<blockquote><span class="fixed">when signing: -i <uri> -s -k <keystore> -a <alias> -p <pass> [-o
-<outfile>]<br>
-when updating: -i <uri> [-k <keystore> -a <alias> OR -N ] [-o <outfile>]<br>
+<blockquote><span class="fixed">when signing: -i <uri> -s -k <keystore> -a <alias> -p <pass> [-o
+<outfile>]<br>
+when updating: -i <uri> [-k <keystore> -a <alias> OR -N ] [-o <outfile>]<br>
<table border="0" cellpadding="0" cellspacing="0">
<tr><td width="150">-i,--in</td><td>input file or url</td></tr>
<tr><td width="150">-k,--keystore</td><td>pathname of Java keystore file</td></tr>
class="mandatory">mandatory</span> by a purple background.</p>
<dl>
- <dd class="attribute"><a name="confArpRepository"><span class="fixed"><ArpRepository implementation ="edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository"></span></dd>
+ <dd class="attribute"><a name="confArpRepository"><span class="fixed"><ArpRepository implementation ="edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository"></span></a></dd>
<dd class="value"><p>This element specifies an individual implementation
of a release policy engine, with the given value specifying Shibboleth's
file-based ARP repository implementation, which is currently the only
group entries would have ARP attributes, and all those ARP's would
be applicable.</p></dd>
- <dd class="attribute"><a name="confCAPath"><span class="fixed"><CAPath><i>pathname</i></CAPath></span></dd>
+ <dd class="attribute"><a name="confCAPath"><span class="fixed"><CAPath><i>pathname</i></CAPath></span></a></dd>
<dd class="value">Paired with a <a href="#confPath"><span
class="fixed">Path</span></a> element and contained by a <a
href="#confFileResolver"><span class="fixed">FileResolver</span></a>
may be specified. The expectations of the target and the federation may
determine the necessity for the use of this field.</dd>
- <dd class="attribute"><a name="confCertAlias"><span class="fixed"><CertAlias><i>string</i></CertAlias></span></dd>
+ <dd class="attribute"><a name="confCertAlias"><span class="fixed"><CertAlias><i>string</i></CertAlias></span></a></dd>
<dd class="value">Specifies the alias for the certificate corresponding
to the private key used by the HS. If no alias is specified, defaults
to the private key's alias. Contained by the <a
href="#confKeyStoreResolver"><span
class="fixed">KeyStoreResolver</span></a> element.</dd>
- <dd class="attribute"><a name="confCertificate"><span class="fixed"><Certificate format="<i>type</i>"></span></dd>
+ <dd class="attribute"><a name="confCertificate"><span class="fixed"><Certificate format="<i>type</i>"></span></a></dd>
<dd class="value">This specifies the certificate corresponding to this
set of credentials. The certificate itself must be referred to using a
<a href="#confPath"><span class="fixed">Path</span></a> element
and must be paired with the corresponding private key using the <a
href="#confKey"><span class="fixed">Key</span></a> element.</dd>
- <dd class="attribute"><a name="confCredentials"><span class="fixed"><Credentials xmlns="urn:mace:shibboleth:credentials:1.0"></span></dd>
+ <dd class="attribute"><a name="confCredentials"><span class="fixed"><Credentials xmlns="urn:mace:shibboleth:credentials:1.0"></span></a></dd>
<dd class="value">This element is the container for credentials used by
the credential mechanism specified by the <a
href="#confShibbolethOriginConfig"><span
class="fixed">KeyStoreResolver</span></a> element for compound
keystores.</dd>
- <dd class="attribute"><a name="confErrorLog"><span class="fixed"><ErrorLog level="<i>level</i>" location="<i>URL</i>"></span></dd>
+ <dd class="attribute"><a name="confErrorLog"><span class="fixed"><ErrorLog level="<i>level</i>" location="<i>URL</i>"></span></a></dd>
<dd class="value">Paired with a <a href="#confTransactionLog"><span
class="fixed">TransactionLog</span></a> element, this will log any
errors encountered by the origin above a certain logging threshold to a
Must be contained by a <a href="#confLogging"><span
class="fixed">Logging</span></a> element.</dd>
- <dd class="attribute"><a name="confFederationProvider"><span class="fixed"><FederationProvider <span class="mandatory">type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadataLoadWrapper" uri="<i>pathname</i>"/></span></dd>
+ <dd class="attribute"><a name="confFederationProvider"><span class="fixed"><FederationProvider <span class="mandatory">type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadataLoadWrapper" uri="<i>pathname</i>"/></span></a></dd>
<dd class="value">Individual sets of targets in the form of a <span
class="fixed">sites.xml</span> file that this origin will trust to make
requests may be specified by adding <span
federations. This file should be regularly refreshed using
<a href="#4.e."><span class="fixedwidth">metadatatool</span></a>.</dd>
- <dd class="attribute"><a name="confFileResolver"><span class="fixed"><FileResolver Id="<i>string</i>"></span></dd>
+ <dd class="attribute"><a name="confFileResolver"><span class="fixed"><FileResolver Id="<i>string</i>"></span></a></dd>
<dd class="value">This element defines a pair of files used to store a
private key and certificate associated with a given identifier and is
contained by the <a href="#confCredentials"><span
contain one <a href="#confCertificate"><span
class="fixed">Certificate</span></a> element.</dd>
- <dd class="attribute"><a name="confHSNameFormat"><span class="fixed"><HSNameFormat <span class="mandatory">nameMapping="<i>id</i>"</span>/></span></dd>
+ <dd class="attribute"><a name="confHSNameFormat"><span class="fixed"><HSNameFormat <span class="mandatory">nameMapping="<i>id</i>"</span>/></span></a></dd>
<dd class="value">Individual <a href="#confRelyingParty"><span
class="fixed">RelyingParty</span></a> elements may contain this element
to specify the <a href="#confNameMapping"><span
relying party. If this element is not present, default Shibboleth
handles will be used.</dd>
- <dd class="attribute"><a name="confKey"><span class="fixed"><Key format="<i>type</i>"></span></dd>
+ <dd class="attribute"><a name="confKey"><span class="fixed"><Key format="<i>type</i>"></span></a></dd>
<dd class="value">This specifies the file containing a private key to be
used by a set of credentials. Valid encodings are <span
class="fixed">PEM</span> and <span class="fixed">DER</span>. Keys are
class="fixed">Certificate</span></a> element, and contain a <a
href="#confPath"><span class="fixed">Path</span></a> element.</dd>
- <dd class="attribute"><a name="confKeyAlias"><span class="fixed"><KeyAlias><i>string</i></KeyAlias></span></dd>
+ <dd class="attribute"><a name="confKeyAlias"><span class="fixed"><KeyAlias><i>string</i></KeyAlias></span></a></dd>
<dd class="value">Specifies the alias used for accessing the private
key. Contained by the <a href="#confKeyStoreResolver"><span
class="fixed">KeyStoreResolver</span></a> element.</dd>
- <dd class="attribute"><a name="confKeyPassword"><span class="fixed"><KeyPassword><i>string</i></KeyPassword></span></dd>
+ <dd class="attribute"><a name="confKeyPassword"><span class="fixed"><KeyPassword><i>string</i></KeyPassword></span></a></dd>
<dd class="value">Specifies the password used to retrieve the private
key. Contained by the <a href="#confKeyStoreResolver"><span
class="fixed">KeyStoreResolver</span></a> element.</dd>
- <dd class="attribute"><a name="confKeyStoreKeyAlias"><span class="fixed"><KeyStoreKeyAlias><i>string</i></KeyStoreKeyAlias></span></dd>
+ <dd class="attribute"><a name="confKeyStoreKeyAlias"><span class="fixed"><KeyStoreKeyAlias><i>string</i></KeyStoreKeyAlias></span></a></dd>
<dd class="value">Specifies the alias used for accessing the private
key. Contained by the <a href="#confNameMapping"><span
class="fixed">NameMapping</span></a> element when a <span
class="fixed">CryptoHandleGenerator</span> type is specified.</dd>
- <dd class="attribute"><a name="confKeyStoreKeyPassword"><span class="fixed"><KeyStoreKeyPassword><i>string</i></KeyStoreKeyPassword></span></dd>
+ <dd class="attribute"><a name="confKeyStoreKeyPassword"><span class="fixed"><KeyStoreKeyPassword><i>string</i></KeyStoreKeyPassword></span></a></dd>
<dd class="value">Specifies the password used to retrieve the private
key. Contained by the <a href="#confNameMapping"><span
class="fixed">NameMapping</span></a> element when a <span
class="fixed">CryptoHandleGenerator</span> type is specified.</dd>
- <dd class="attribute"><a name="confKeyStorePassword"><span class="fixed"><KeyStorePassword><i>string</i></KeyStorePassword></span></dd>
+ <dd class="attribute"><a name="confKeyStorePassword"><span class="fixed"><KeyStorePassword><i>string</i></KeyStorePassword></span></a></dd>
<dd class="value">Specifies the password to access the keystore
containing the private key to be used for symmetric encryption.
Contained by the <a href="#confNameMapping"><span
class="fixed">NameMapping</span></a> element when a <span
class="fixed">CryptoHandleGenerator</span> type is specified.</dd>
- <dd class="attribute"><a name="confKeyStorePath"><span class="fixed"><KeyStorePath><i>string</i></KeyStorePath></span></dd>
+ <dd class="attribute"><a name="confKeyStorePath"><span class="fixed"><KeyStorePath><i>string</i></KeyStorePath></span></a></dd>
<dd class="value">Specifies the location of the keystore containing the
private key to be used for symmetric encryption to pass handles between
the HS and AA. Contained by the <a href="#confNameMapping"><span
class="fixed">NameMapping</span></a> element when a <span
class="fixed">CryptoHandleGenerator</span> type is specified.</dd>
- <dd class="attribute"><a name="confKeyStoreResolver"><span class="fixed"><KeyStoreResolver Id="<i>string</i>" storeType="<i>type</i>"></span></dd>
+ <dd class="attribute"><a name="confKeyStoreResolver"><span class="fixed"><KeyStoreResolver Id="<i>string</i>" storeType="<i>type</i>"></span></a></dd>
<dd class="value">This element is contained by the <a
href="#confCredentials"><span class="fixed">Credentials</span></a>
element and to specify a keystore that contains both the certificate and
href="#confCertAlias"><span class="fixed">CertAlias</span></a>
element.</dd>
- <dd class="attribute"><a name="confLog4JConfig"><span class="fixed"><Log4JConfig location="<i>pathname</i>"/></span></dd>
+ <dd class="attribute"><a name="confLog4JConfig"><span class="fixed"><Log4JConfig location="<i>pathname</i>"/></span></a></dd>
<dd class="value">This element informs Shibboleth to utilize Log4J as a
logging system and points to the relevant configuration file using the
<span class="fixed">location</span> attribute. A basic configuration is
class="fixed">TransactionLog</span></a> or <a href="#confErrorLog"><span
class="fixed">ErrorLog</span></a> element.</dd>
- <dd class="attribute"><a name="confLogging"><span class="fixed"><Logging></span></dd>
+ <dd class="attribute"><a name="confLogging"><span class="fixed"><Logging></span></a></dd>
<dd class="value">This container element identifies a logging method for
both the HS and AA to use and may not occur more than once. Three
different logging methods may be specified depending on what is placed
format="<i>URN</i>"<br>
handleTTL="<i>seconds</i>"<br>
id="<i>string</i>"<br>
-type="<i>type</i>"/></span></dd>
+type="<i>type</i>"/></span></a></dd>
<dd class="value">This element defines a name mapping system to create
SAML assertion subject names for users; in standard Shibboleth, this
will be the creation of a handle to be given to the SHAR and shared with
</ul></li>
</ul></dd>
- <dd class="attribute"><a name="confPath"><span class="fixed"><Path><i>pathname</i></Path></span></dd>
+ <dd class="attribute"><a name="confPath"></a><span class="fixed"><Path><i>pathname</i></Path></span></a></dd>
<dd class="value">This mandatory element specifies the path to a file or
directory utilized by other elements of the configuration. It may be
contained by various elements to point to different types of files
required by the origin.</dd>
- <dd class="attribute"><a name="confReleasePolicyEngine"><span class="fixed"><ReleasePolicyEngine></span></dd>
+ <dd class="attribute"><a name="confReleasePolicyEngine"></a><span class="fixed"><ReleasePolicyEngine></span></a></dd>
<dd class="value">The <span class="fixed">ReleasePolicyEngine</span>
element is used to specify a class of release policy processing. This
should contain one <a href="#confArpRepository"><span
class="fixed">ArpRepository</span></a> element.</dd>
- <dd class="attribute"><a name="confRelyingParty"><span class="fixed"><RelyingParty <span class="mandatory">name="<i>URN</i>"</span><br>
+ <dd class="attribute"><a name="confRelyingParty"><span class="fixed"><RelyingParty <span class="mandatory">name="<i>URN</i>"</span></a><br>
AAsigningCredential="<i>string</i>"<br>
AAUrl="<i>URL</i>"<br>
defaultAuthMethod="<i>URN</i>"<br>
signAttrResponses="<i>true/false</i>"<br>
signAuthAssertions="<i>true/false</i>"<br>
signAuthResponses="<i>true/false</i>"<br>
-signingCredential="<i>string</i>"></span></dd>
+signingCredential="<i>string</i>"></span></a></dd>
<dd class="value"><p>The <span class="fixed">RelyingParty</span> element
is used to specify one or more relying parties that this origin must
recognize. This includes any federations the origin is a member of, any
provider is a member of.</li>
<li><span class="fixed">AAsigningCredential</span>: This attribute
must equal the identifier of one of the <a
- href="#confFileResolver><span class="fixed">FileResolver</span></a>
+ href="#confFileResolver"><span class="fixed">FileResolver</span></a>
Id's. A separate set of credentials may be specified for the AA's
signing of assertions/SSL session identification using this attribute,
as opposed to the HS' signing of assertions. If this is not specified
one or more assertions. Defaults to <span
class="fixed">true</span>.</li>
<li><span class="fixed">signingCredential</span>: This attribute must
- equal the identifier of one of the <a href="#confFileResolver><span
+ equal the identifier of one of the <a href="#confFileResolver"><span
class="fixed">FileResolver</span></a> Id's. This allows the origin to
use different signing keys and certificates for exchanges with
different federations or targets. Ensure that the appropriate signing
defaultAuthMethod="<i>URN</i>"<br>
maxHSThreads="<i>integer</i>"<br>
passThruErrors="<i>true/false</i>"<br>
-resolverConfig="<i>pathname</i>"></span></dd>
+resolverConfig="<i>pathname</i>"></span></a></dd>
<dd class="value"><p>This is the primary element that defines an <span class="fixed">origin.xml</span> file and is the container for every other element and must appear once and only once. For most deployments, all the <span class="fixed">xmlns</span> attributes, which specify the handlers for different aspects of origin operation, should remain unchanged. The mandatory attributes must be changed before operating the origin.</p>
<ul>
<li class="mandatory"><span class="fixed">defaultRelyingParty</span>: This specifies the relying party to use for a request when no <a href="#confRelyingParty"><span class="fixed">RelyingParty</span></a> element's <span class="fixed">name</span> attribute matches the policy URN of an incoming request. Typically, this will be populated with the URN of a federation.</li>
</ul>
</dd>
- <dd class="attribute"><a name="confStorePassword"><span class="fixed"><StorePassword><i>string</i></StorePassword></span></dd>
+ <dd class="attribute"><a name="confStorePassword"><span class="fixed"><StorePassword><i>string</i></StorePassword></span></a></dd>
<dd class="value">Specifies the password for the keystore. Contained by the <a href="#confKeyStoreResolver"><span class="fixed">KeyStoreResolver</span></a> element.</dd>
- <dd class="attribute"><a name="confTransactionLog"><span class="fixed"><TransactionLog location="<i>URL</i>"></span></dd>
+ <dd class="attribute"><a name="confTransactionLog"><span class="fixed"><TransactionLog location="<i>URL</i>"></span></a></dd>
<dd class="value">Paired with an <a href="#confErrorLog"><span class="fixed">ErrorLog</span></a> element, this will log all transactions that the origin is involved in. The information in this file is sensitive and may be useful for auditing and security purposes. Must be contained by a <a href="#confLogging"><span class="fixed">Logging</span></a> element.</dd>
</dl>