Implementing Highly Available Metadata to a Service Provider : AAF Support

Overview

This article will guide you through the modifications necessary to ensure your Service Provider is utilising Highly Available Metadata compared to the older Metadata which does not have HA enabled. The older link will continue to function for a period of time and once it’s depreciation has been planned, a notification email will be sent to all subscribers confirming the date and time of its removal.

The AAF strongly recommends modification during a maintenance window. Please contact AAF support if you need any further details.

Prerequisites

Metadata documents are only accessible by https request
Our metadata endpoints DO NOT automatically redirect HTTP requests

All metadata documents are signed by the AAF. Subscribers MUST use the public key available at https://md.aaf.edu.au/aaf-metadata-certificate.pem to verify metadata documents whenever they are retrieved.

Please check your key against the following to ensure the accuracy of information. It is vital that each key conform to the follow format:

         $> openssl x509 -subject -dates -fingerprint -in aaf-metadata-certificate.pem

subject= /O=Australian Access Federation/CN=AAF Metadata
notBefore=Nov 24 04:27:20 2015 GMT
notAfter=Dec  9 04:27:20 2035 GMT
SHA1 Fingerprint=E2:FC:CC:CB:0E:0F:3B:32:FA:55:87:29:08:DE:E0:34:DA:A2:15:5A

Details

AAF Metadata document locations:

https://md.aaf.edu.au/aaf-metadata.xml – Containing all AAF subscribers

https://md.aaf.edu.au/aaf-edugain-metadata.xml – Containing IdP and SP which have been approved for consumption by AAF subscribers from the global eduGAIN metadata source

https://md.aaf.edu.au/aaf-edugain-export-metadata.xml – Containing AAF subscribed IdP and SP which have been approved for publishing to the global eduGAIN metadata source

To get started locate your Shibboleth SP configuration directory, generally /etc/shibboleth

Updates for Metadata

1. Edit the file shibboleth2.xml

2. Find the following within the MetadataProvider tag:
uri="Error! Hyperlink reference not valid."
(you might also have metadata.aaf.signed.minimal.xml or metadata.aaf.signed.xml in your URL these are all roughly equivalent and all need to use the same new URL below)

3. Change this to be:
For AAF Test Federation
uri="https://md.test.aaf.edu.au/aaf-test-metadata.xml"
For AAF Production
uri="https://md.aaf.edu.au/aaf-metadata.xml"

4. Save the file an exit

Notes

You should now restart your shibd daemon. When it comes back online it will be using the highly available sources for AAF metadata as we've configured above ensuring any chance of outage during maintenance windows or unscheduled outages of core AAF services such as Federation Registry are reduced to almost nil.

If you restart shibd, and your metadata is not updating, and you are seeing SSL related errors in shibd's logs, you may need to verify the certificate used to sign the metadata document. if you encounter any issues , you should log a support call with AAF support support@aaf.edu.au to help you resolve the issue.

Implementing Highly Available Metadata to a Service Provider

Implementing Highly Available Metadata to a Service Provider

Updates for Metadata

Related Articles

Newsletter Sign-up

Home

Announcements

Knowledge Base

Ask for Help