shibbolethshibboleth-sp

How does a Shibboleth SP configure IdP metadata files without any downtime in the Shibboleth service?


I am curious how Service Providers of Shibboleth avoid downtime in their Shibboleth Service when installing/updating Metadata files within their configuration. I have seen a few websites offer the functionality for users to upload their own Metadata files and have access to SSO almost immediately - how is this possible?

For some context, this is currently what I have to do:

  1. Add a new XML Metadata file to C:\opt\shibboleth-sp_metadata
  2. Add a new "MetadataProvider" element to C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml
  3. Open Windows services and restart the "Shibboleth Daemon (Default)" service. Whilst the service is restarting, users are unable to login via SSO with an error message present on screen suggesting the Shibboleth service is currently unavailable
  4. After 5-10 minutes have passed, the SSO Service is started and ready to be used

Fortunately I am lucky enough to have multiple servers which I can take offline in order to avoid downtime for users, but I am curious that if I had just 1 server how would I avoid downtime for users when I am required to configure/update metadata files for new clients?

My goal for this question is to be able to understand how others are able to configure/update the Shibboleth environment without causing any downtime for users. I really want to achieve automation of configuring new metadata files as opposed to having to do this task manually.

Any tips/pointers will be very much appreciated. Thanks!


Solution

  • I am curious that if I had just 1 server how would I avoid downtime for users when I am required to configure/update metadata files for new clients?

    I believe the shibboleth SP has the ability to reload metadata files from a specific folder, such that it would auto-load and auto-configure itself if it sees modified/new metadata in that directory.

    You could potentially look into FolderMetadataProvider, or its preferred alternative, LocalDynamicMetadataProvider.

    Per the docs,

    The LocalDynamicMetadataProvider fetches metadata from a local source dynamically as needed. The deployer is responsible for populating the local source with data, which may be done while the metadata provider is running. New metadata will be seen automatically the first time it is requested. The LocalDynamicMetadataProvider (added in V3.3.0) is used with local metadata.