Overview
This article will guide you through the modifications necessary to ensure your Service Provider is utilising Highly Available Metadata compared to the older Metadata which does not have HA enabled. The older link will continue to function for a period of time and once it’s depreciation has been planned, a notification email will be sent to all subscribers confirming the date and time of its removal.
The AAF strongly recommends modification during a maintenance window. Please contact AAF support if you need any further details.
Prerequisites
- Metadata documents are only accessible by https request
- Our metadata endpoints DO NOT automatically redirect HTTP requests
All metadata documents are signed by the AAF. Subscribers MUST use the public key available at https://md.aaf.edu.au/aaf-metadata-certificate.pem to verify metadata documents whenever they are retrieved.
Please check your key against the following to ensure the accuracy of information. It is vital that each key conform to the follow format:
$> openssl x509 -subject -dates -fingerprint -in aaf-metadata-certificate.pem subject= /O=Australian Access Federation/CN=AAF Metadata notBefore=Nov 24 04:27:20 2015 GMT notAfter=Dec 9 04:27:20 2035 GMT SHA1 Fingerprint=E2:FC:CC:CB:0E:0F:3B:32:FA:55:87:29:08:DE:E0:34:DA:A2:15:5A
Details
AAF Metadata document locations:
https://md.aaf.edu.au/aaf-metadata.xml – Containing all AAF subscribers
https://md.aaf.edu.au/aaf-edugain-metadata.xml – Containing IdP and SP which have been approved for consumption by AAF subscribers from the global eduGAIN metadata source
https://md.aaf.edu.au/aaf-edugain-export-metadata.xml – Containing AAF subscribed IdP and SP which have been approved for publishing to the global eduGAIN metadata source
To get started locate your Shibboleth SP configuration directory, generally /etc/shibboleth
Updates for Metadata
1. Edit the file shibboleth2.xml
2. Find the following within the MetadataProvider tag:
uri="Error! Hyperlink reference not valid."
(you might also have metadata.aaf.signed.minimal.xml or metadata.aaf.signed.xml in your URL these are all roughly equivalent and all need to use the same new URL below)
3. Change this to be:
For AAF Test Federation
uri="
https://md.test.aaf.edu.au/aaf-test-metadata.xml
"
For AAF Production
uri="https://md.aaf.edu.au/aaf-metadata.xml"
4. Save the file an exit
Notes
You should now restart your shibd daemon. When it comes back online it will be using the highly available sources for AAF metadata as we've configured above ensuring any chance of outage during maintenance windows or unscheduled outages of core AAF services such as Federation Registry are reduced to almost nil.
If you restart shibd, and your metadata is not updating, and you are seeing SSL related errors in shibd's logs, you may need to verify the certificate used to sign the metadata document. if you encounter any issues , you should log a support call with AAF support [email protected] to help you resolve the issue.