I am curious how Service Providers of Shibboleth avoid downtime in their Shibboleth Service when installing/updating Metadata files within their configuration. I have seen a few websites offer the functionality for users to upload their own Metadata files and have access to SSO almost immediately - how is this possible?
For some context, this is currently what I have to do:
- Add a new XML Metadata file to C:\opt\shibboleth-sp_metadata
- Add a new "MetadataProvider" element to C:\opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml
- Open Windows services and restart the "Shibboleth Daemon (Default)" service. Whilst the service is restarting, users are unable to login via SSO with an error message present on screen suggesting the Shibboleth service is currently unavailable
- After 5-10 minutes have passed, the SSO Service is started and ready to be used
Fortunately I am lucky enough to have multiple servers which I can take offline in order to avoid downtime for users, but I am curious that if I had just 1 server how would I avoid downtime for users when I am required to configure/update metadata files for new clients?
My goal for this question is to be able to understand how others are able to configure/update the Shibboleth environment without causing any downtime for users. I really want to achieve automation of configuring new metadata files as opposed to having to do this task manually.
Any tips/pointers will be very much appreciated. Thanks!
I believe the shibboleth SP has the ability to reload metadata files from a specific folder, such that it would auto-load and auto-configure itself if it sees modified/new metadata in that directory.
You could potentially look into
FolderMetadataProvider
, or its preferred alternative,LocalDynamicMetadataProvider
.Per the docs,