Page tree
Skip to end of metadata
Go to start of metadata

InCommon Metadata Distribution Service is in Preview. Please read all documentation before proceeding. https://spaces.at.internet2.edu/display/MDQ/Introducing+per-entity+metadata+service

What is MDQ? 

MDQ stands for "Metadata Query", it is a protocol that allows IdP and SP to consume only metadata for specific entities as needed instead of having to load the entire aggregate. 

Why use MDQ?

Service Providers (SP) have experienced issues as the size of the InCommon Metadata Aggregate continue to grow. With MDQ, instead of pre-loading and verifying all entity in the InCommon aggregate, your SP will only load entities on-demand which would improve performance. 

Step 1

Updating the MetadataProvider to use MDQ for SP v2

If you are using SP v2, you should consider updating to SP v3 https://wiki.shibboleth.net/confluence/display/SP3/Home.

To use MDQ protocol, a Shibboleth SP deployment changes its metadata configuration (shibboleth2.xml) from this:

Consuming the IdP-only aggregate
<MetadataProvider type="XML"
    url="http://md.incommon.org/InCommon/InCommon-metadata-idp-only.xml"
    backingFilePath="InCommon-metadata-idp-only.xml"
    maxRefreshDelay="3600">
 
   <!--
       Require a validUntil XML attribute on the EntitiesDescriptor element
       and make sure its value is no more than 14 days into the future
   -->
  <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
   
  <!-- Verify the signature on the metadata file -->
  <MetadataFilter type="Signature" certificate="inc-md-cert.pem"/>
   
</MetadataProvider>

to this:

Using MDQ SP v2
<!-- InCommon Per-Entity Metadata Distribution Service -->
<MetadataProvider type="Dynamic" ignoreTransport="true" maxCacheDuration="86400" minCacheDuration="60">
    <Subst>https://mdq-preview.incommon.org/entities/urn:mace:incommon:ucla.edu</Subst>
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
    <MetadataFilter type="Signature" certificate="inc-md-cert-mdq.pem"/>
</MetadataProvider>

Updating the MetadataProvider to use MDQ for SP V3

To use MDQ protocol, a Shibboleth SP deployment changes its metadata configuration (shibboleth2.xml) from this:

Consuming the IdP-only aggregate
<MetadataProvider type="XML"
    url="http://md.incommon.org/InCommon/InCommon-metadata-idp-only.xml"
    backingFilePath="InCommon-metadata-idp-only.xml"
    maxRefreshDelay="3600">
 
   <!--
       Require a validUntil XML attribute on the EntitiesDescriptor element
       and make sure its value is no more than 14 days into the future
   -->
  <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
   
  <!-- Verify the signature on the metadata file -->
  <MetadataFilter type="Signature" certificate="inc-md-cert.pem"/>
   
</MetadataProvider>

to this:

Using MDQ SP v3
<!-- InCommon Per-Entity Metadata Distribution Service -->
<MetadataProvider type="MDQ" id="incommon" ignoreTransport="true" cacheDirectory="inc-mdq-cache" 
    maxCacheDuration="86400" minCacheDuration="60"
    baseUrl="https://mdq.incommon.org/">
   <MetadataFilter type="Signature" certificate="inc-md-cert-mdq.pem"/>
   <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
</MetadataProvider>

Step 2

Download the signing certificate

Download the signing certificate 

Download public signing certificate
curl -s -o /etc/shibboleth/inc-md-cert-mdq.pem http://md.incommon.org/certs/inc-md-cert-mdq.pem

check the fingerprint https://spaces.at.internet2.edu/display/MDQ/Production+metadata+signing+key

Check the fingerprint
openssl x509 -fingerprint -in /etc/shibboleth/inc-md-cert-mdq.pem -sha256

Step 3

Restart shibd and Test your application

Restart shibd process and verify the metadata is in place (/var/cache/shibboleth) and shibboleth is running in your shibd.log  (/var/log/shibboleth or /opt/etc/shibboleth/var/log). Please test your application to ensure the proper attributes are being returned back.

 

For additional information, please visit: https://spaces.at.internet2.edu/display/MDQ/Introducing+per-entity+metadata+service