Home » Federations » Kalmar Union

Kalmar metadata aggregation (tech notes)

Submitted by Andreas Åkre Solberg [1] on 6 January, 2009 - 08:38

Notes on how to aggregate and publish metadata for the kalmar union with simpleSAMLphp metadata utilities.

This document is notes Andreas took when setting up the Feide national aggregate of metadata that should be available through the Kalmar Union. And also documentation of the setup of the Kalmar Union aggregate from all the participating countries.

1 Feide metadata aggregate

We installed a server kalmar.feide.no with simplesamlphp installed in /var/simplesamlphp-kalmar

First, we enable the aggregate module.

cd modules/aggregator
touch enable
cp config-templates/*.php ../../config/

The aggregator module is configured from the configuration file aggregator.php. Here is our configuration:

/* Configuration for the aggregator module. */
$config = array(

    /* List of aggregators. */
    'aggragators' => array(
        'feidekalmarexport' => array(
            array('type' => 'flatfile', 'directory' => 'metadata/feide-kalmar-export/'),  
        ),
    ),

    /* Whether metadata should be signed. */
    'sign.enable' => TRUE,

    /* Private key which should be used when signing the metadata. */
    'sign.privatekey' => 'server2.key',

    /* Password to decrypt private key, or NULL if the private key is unencrypted. */
    'sign.privatekey_pass' => 'xxxx',

    /* Certificate which should be included in the signature. Should correspond to the private key. */
    'sign.certificate' => 'server2.crt',
);

In the directory metadata/feide-kalmar-export Feide configures it's IdP and SPs in simpleSAMLphp metadata format.

The aggregate for Feide is then available signed at this URL:

https://kalmar.feide.no/simplesaml/module.php/aggregator/?id=feidekalmarexport

To open the metadata in a browser, here is the URL which provides a MIME type better understood by webbrowsers:

https://kalmar.feide.no/simplesaml/module.php/aggregator/?id=feidekalmarexport&mimetype=application/xml

2 Kalmar central aggregate

Both the aggregator and the metarefresh module is enabled.

The metarefresh module is downloading and validating from several URLs, while the aggregator module presents and resign all this metadata.

2.1 Configuring the metarefresh module to download national aggregates

This module is configured by the config-metarefresh.php configuration file.

2.1.1 Setting up cron

The cron module is enabled.

2.2 Configuring the aggregator to present the Kalmar metadata

3 Common Kalmar Discovery Service

The same server as above, holding the kalmar central aggregate is also configured to work as a central discovery service. It is optional whether service providers would like to use this discovery service.

The discovery service can be used in two ways, in active or in passive mode. In active mode, the Kalmar Discovery Service presents a UI asking the user where he or she comes from. In passive mode the central domain name is only used for storing and retrieving IdP selection in a common central domain by using a cookie. To enable storage of IdP selection the service needs to support the Extended IdP Discovery Service protocol.

The central simpleSAMLphp installation has enabled the discopower module. Here is configuration of the module:

$config = array (

    // Which tab should be set as default. 0 is the first tab.
    'defaulttab' => 0,

    /*
     * List a set of tags (Tabs) that should be listed in a specific order.
     * All other available tabs will be listed after the ones specified below.
     */
    'taborder' => array('norway'),

);

4 Connecting an entity to Kalmar

This is an example of setting up a Service Provider or an Identity Provider that is connected to the Kalmar Union.

  • Enable cron and metarefresh modules.

Here is what I did:

touch modules/cron/enable
touch modules/metarefresh/enable
cp modules/cron/config-templates/*.php config/
cp modules/sanitycheck/config-templates/*.php config/
cp modules/metarefresh/config-templates/*.php config/

Create a directory: `

mkdir metadata/metadata-kalmar-consuming/

Add config-metarefresh.php with the following config:

$config = array(

    'sets' => array(

        'kalmar' => array(
            'cron'      => array('hourly'),
            'sources'   => array(
                array(
                    'src' => 
'https://kalmar.feide.no/simplesaml/module.php/aggregator/?id=kalmarcentral&mimetype=text/plain&exclude=norway',
                    'certFingerprint' => '591d4b4670463eeda91fcc816dc0af2a092aa801',
                    'template' => array(
                        'tags'  => array('kalmar'),
                    ),
                ),
            ),
            'expireAfter'       => 60*60*24*4, // Maximum 4 days cache time.
            'outputDir'     => 'metadata/metadata-kalmar-consuming/',
        ),
    ),
);

Notice that we exclude the Norway tag.

Visit the cron page, and configure cron to something similar to:

# Run cron [daily]
02 0 * * * curl --silent "https://openwiki.feide.no/simplesaml/module.php/cron/cron.php?key=secret&tag=daily" > /dev/null 2>&1
# Run cron [hourly]
01 * * * * curl --silent "https://openwiki.feide.no/simplesaml/module.php/cron/cron.php?key=secret&tag=hourly" > /dev/null 2>&1

Run cron hourly, and look into the metadata directory if there is data there:

# ls -l metadata/metadata-kalmar-consuming/
total 84
-rw-r--r-- 1 www-data www-data 14935 Mar 20 12:33 saml20-idp-remote.php
-rw-r--r-- 1 www-data www-data 24801 Mar 20 12:33 saml20-sp-remote.php
-rw-r--r-- 1 www-data www-data 14861 Mar 20 12:33 shib13-idp-remote.php
-rw-r--r-- 1 www-data www-data 22099 Mar 20 12:33 shib13-sp-remote.php

In config.php we add a new metadata source:

array('type' => 'flatfile', 'directory' => 'metadata/metadata-kalmar-consuming'),