eduGAIN metadata script
Last modified by Jukka Karvonen on 2025/01/29 09:33
While you could load eduGAIN metadata in the same way as Haka metadata, if you allow all eduGAIN entities to log in, it's quite big metadata file to load and in addition to used bandwidth, processing takes time and may increase Shibboleth SP startup time to several minutes.
IT is possible to load and verify metadata separately.
Script to load and verify eduGAIN metadata
Load metadata from the file in shibboleth2.xml
<MetadataProvider type="XML" path="/etc/shibboleth/metadata/edugain-metadata-verified.xml" reloadChanges="true" />
Check that you have xmlsec1 library installed.
Copy following script to /usr/local/bin/update-edugain-metadata.sh and edit it with the correct SP ID and certificate location.
#!/bin/bash
metadata_url=https://haka.funet.fi/edugain-nightly/gen-edugain/sp-XX-metadata-eduGain.xml
unverified_file=/etc/shibboleth/metadata/edugain-metadata-unverified.xml
verified_file=/etc/shibboleth/metadata/edugain-metadata-verified.xml
certificate=/etc/shibboleth/haka-edugain-sign.csc.fi.2024.pem
if test -e "$unverified_file"
then
zflag="-z $unverified_file"
else
zflag=""
fi
/usr/bin/curl -o $unverified_file $zflag $metadata_url
if [ $? -ne 0 ]
then
echo "Downloading edugain metadata failed"
exit 1
fi
if [ -f $verified_file ]
then
diff $unverified_file $verified_file > /dev/null 2>&1
if [ $? -eq 0 ]
then
exit 0
fi
fi
/usr/bin/xmlsec1 --verify --enabled-key-data rsa --pubkey-cert-pem $certificate --id-attr:ID "urn:oasis:names:tc:SAML:2.0:metadata:EntitiesDescriptor" $unverified_file > /dev/null 2>&1
if [ $? -ne 0 ]
then
echo "Edugain metadata signature check failed"
exit 1
fi
cp $unverified_file $verified_fileRun it with cron. Add /etc/cron.d/edugain file:
MAILTO=<email-address to notify if metadata could not be updated> 14 */2 * * * shibd /usr/local/bin/update-edugain-metadata.sh > /dev/null
Script checks the file timestamp and load new metadata only if it has changed.