Shibboleth Developers

[Scott Cantor <>]

At a basic level, this is pretty simple to document, but I guess the metadata 
in general falls into the category of stuff that
straddles the "core docs" and "federation docs" border.

I guess we should document the fact that you need a metadata file enumerating 
origin sites in some way, and we'll probably ship the
code with a small sample file showing how to create it. The default target 
config will reference the local file.

The target now has a program (in /opt/shibboleth/bin) called siterefresh that 
takes these parameters:

--url   URL of the metadata file to retrieve
--out           Local file to write the verified data into
--cert  Optional certificate in PEM format to verify a signed file
--schema        Optional base path of schemas
                (defaults to /opt/shibboleth/etc/shibboleth/)

It will return 0 on success and a negative number on failure, as well as 
logging errors to stderr.

An example run from within /opt/shibboleth/etc/shibboleth:

/opt/shibboleth/bin/siterefresh \
        --url http://wayf.internet2.edu/shibboleth/sites.xml \
        --out sites.xml --cert internet2.pem

You can put that in a crontab to keep the file refreshed. If the data is bad, 
or the signature is invalid, the existing copy is
kept, and the program will return non-zero.

The shar and Apache processes stat the file each time the data is used, so 
they pick up a changed version in real time as the system
runs.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--