PERSEUS : portal enabled resources via Shibbolized end-user security

PERSEUS logo Skip to main content
PERSEUS Portal-enabled resource via Shibbolized end-user security PERSEUS motif
spacer
LSE logospacer
spacer
spacer
spacer
Home
About PERSEUS
Work plan
Deliverables
Dissemination
Contacts


Projectplace

Discussion list 

Shibboleth@LSE
Project news
Terms of use

 

 spacer

Metadata Refreshing

In a federation of several members, it is important to keep the federation metadata used to configure the Identity Provider up to date. There are several ways to do this, and it is important to follow the instructions of the federation involved where possible. (For small federations, there is probably little need to do this, and it will usually be done when one partner involved emails the other participants to inform them of changes.)

metadatatool

This is the official mechanism for updating metadata, and should be used wherever possible (it can check that the metadata has been signed by the federation managment, to ensure that it is valid). The official documentation for this tool can be found in the Identity Provider installation guide . The tool is run from the command line, and it needs the Shibboleth Java .jar files to be in the class path before it can be used. The tool itself can be found in the bin sub-directory of the installation directory (which should be set as the environment variable SHIB_HOME), and the .jar files are in the lib directory.

The metadatatool requires that a public key is used to sign the metadata download request. Generally, the federation administration will provide the key store to be used if this tool is their chosen method of update; however, Java keystores are not always accessible to versions of Java other than those that created the keystore (this particularly affects Java 1.4).

With a working keystore, running the metadatatool from the command line will look like:

% $SHIB_HOME/bin/metadatatool -i [URL of federation metadata file here] -k [keystore file] -p [keystore password] -a [keyalias] -o [local metadata file location]

In this case, it makes sense to encapsulate this command into a script which is run regularly - how frequently will depend on how often the federation is expected to update the metadata - or when federation administration announces changes.

HTTP Get

Some federations make the metadata available for a simple download. This is less secure than metadatatool, but usable where there are problems with the tool. This can be automated using the "wget" command; again, such a command can be encapsulated in a script for regular automated updating.

Email

For small, relatively informal trust relationships, it is probably best to use email for metadata updating. For security purposes, emails can be electronically signed or encrypted if this is desirable. Contact details from the existing metadata can be used to obtain the appropriate email addresses.

Simon McLeish 29 Sep 2005

page last updated: 1 Dec 05

Valid CSS!

Valid HTML 4.01! Shibboleth logo JISC logo
spacer
spacerHome | About PERSEUS | Work plan | Deliverables | Dissemination | Contacts
pages maintained by Masha Garibyan and Peter Spring info@angel.ac.uk
spacer