Local Metadata Management Tools

Matthew X. Economou xenophon at irtnog.org
Sat Feb 17 15:19:22 EST 2018

Helen Feder writes:

> Anyone using a local metadata management tool that they can recommend?
> Or have a tool or set of tools that they would be willing to share?

I currently use the Shibboleth metadata aggregator for this purpose, which I deploy and manage using SaltStack:


Here's a sample configuration:


You could generate the necessary keying material with OpenSSL:

openssl req -outform PEM -x509 -subj '/emailAddress=security at example.com/C=US/ST=DC/L=Washington/O=Example/OU=IT/OU=Security/OU=IAM/CN=Federation Metadata Notary' -newkey rsa:4096 -nodes -sha512 -days 3650 -batch -keyout notary.key -out notary.crt

To extract the public key from the certificate (e.g., for use by the Shibboleth IdP), you would use the following command:

openssl x509 -pubkey -in notary.crt -noout > notary.pub

I store source metadata in the Salt file server, e.g., gitfs:


One could configure Salt to deploy the updated source metadata to the metadata signing/distribution server based on an update event of some kind (e.g., Git post-commit hook).  In my case, new SP deployments are so infrequent that I haven't bothered. 

At some point I might replace the above with mdq-server, PEER, pyFF, or some combination of the above.  At work we plan to use pyFF for both federation metadata aggregation/discovery and for internal metadata distribution.  Ping me in about a month, and I can show you our pyFF pilot over a video conference or something.

Best wishes,

We shall not cease from exploration and the end of all our exploring
will be to arrive where we started and know the place for the first
time. (T. S. Eliot, "Little Gidding")

More information about the users mailing list