Configure siterefresh for automated Metadata retrieval
Siterefresh is a tool that is bundled with the Shibboleth SP that helps you maintain metadata files referenced in shibboleth.xml. You can read more about it at the Internet2 site.
In this guide we will provide you with detailed instructions on how to use siterefresh for Linux and Windows servers.
Please note:
1. After setting up the task (setup instructions provided below), test run once manually and verify before commissioning it in production
2. The task updates metadata file. Shibboleth SP picks up the new copy and caches it automatically. You do not need to restart any service.
3. You will need administrative rights to schedule the task
Visit Internet2 site for more details.
Configure siterefresh on Linux
Step 1: Locating your siterefresh
siterefresh is a tool that comes with your Shibboleth SP. To locate your siterefresh you can run the command below
wleung>$ find / -name siterefresh
The output will be the location of your siterefresh.
Step 2: Obtaining the Incommon Metadata Signing Certificate
The InCommon metadata signing certificate can be found at the InCommon site. A direct link can be found here
Grab this file and place it on your server, you will be referencing it later
Please visit Signing Certificate if you want more information on what a signing certificate is.
Step 3: How to use siterefresh
An example of the usage of siterefresh is found below
wleung>$ /usr/sbin/siterefresh --out /etc/shibboleth/InCommon-metadata.xml --cert /etc/shibboleth/incommon.pem --url http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
Step 4: Configuring Crontab to Automate the Process
The crontab allows you to automate a process. In this case we want to schedule siterefresh to run at x. Information about crontab can be found here.
The example below shows a configuration of the crontab. It runs siterefresh at 8am daily.
0 8 * * * /usr/sbin/siterefresh --out /etc/shibboleth/testincommon.xml --cert /etc/shibboleth/incommon.pem --url http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
Configure siterefresh on Windows
Step 1: Locate siterefresh
If you installed shibboleth SP you already have it. You will find this at $SP-INSTALL-DIR\sbin\siterefresh.
Step 2: Obtain Signing Certificate
Grab the InCommon metadata signing certificate from here. Save it in a file $SP-INSTALL-DIR\etc\shibboleth\incommon.pem
Please visit Signing Certificate if you want more information on what a signing certificate is.
Step 3: Create .bat file
Create a windows bat file incommon-metadata-refresh.bat. Include these commands in the bat file. We assume you installed SP at C:\opt\shibboleth-sp and metadata is in C:optshibboleth-spetcshibbolethInCommon-metadata.xml. Change the location and file names as appropriate.
C:\opt\shibboleth-sp\sbin\siterefresh --out C:\opt\shibboleth-sp\etc\shibboleth\InCommon-metadata.xml --cert C:\opt\shibboleth-sp\etc\shibboleth\incommon.pem --url http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml
Step 4: Schedule a Task
Schedule Windows task to run the above bat command. We advise you to run this once a day.
Nagivate to Start -> Control Panel -> Scheduled Task -> Add Scheduled Task
A new Window should pop up and then hit Next
Click on Browse and select your siterefresh.bat file you created earlier and hit Next
Determine the schedule when you want this script to run and hit Next
Determine the time you want it to run and hit Next
Enter your credentials and then hit Next
Click Finish
Now you have created a scheduled task.